[lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4, oneiric, precise CVE 2/2] regset: Return -EFAULT, not -EIO, on host-side memory fault

Andy Whitcroft apw at canonical.com
Thu Mar 8 16:08:54 UTC 2012


From: "H. Peter Anvin" <hpa at zytor.com>

There is only one error code to return for a bad user-space buffer
pointer passed to a system call in the same address space as the
system call is executed, and that is EFAULT.  Furthermore, the
low-level access routines, which catch most of the faults, return
EFAULT already.

Signed-off-by: H. Peter Anvin <hpa at zytor.com>
Reviewed-by: Oleg Nesterov <oleg at redhat.com>
Acked-by: Roland McGrath <roland at hack.frob.com>
Cc: <stable at vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

(cherry picked from commit 5189fa19a4b2b4c3bec37c3a019d446148827717)
CVE-2012-1097
BugLink: http://bugs.launchpad.net/bugs/949905
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 include/linux/regset.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/regset.h b/include/linux/regset.h
index 5150fd1..686f373 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -339,7 +339,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
 		return -EOPNOTSUPP;
 
 	if (!access_ok(VERIFY_WRITE, data, size))
-		return -EIO;
+		return -EFAULT;
 
 	return regset->get(target, regset, offset, size, NULL, data);
 }
@@ -365,7 +365,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
 		return -EOPNOTSUPP;
 
 	if (!access_ok(VERIFY_READ, data, size))
-		return -EIO;
+		return -EFAULT;
 
 	return regset->set(target, regset, offset, size, NULL, data);
 }
-- 
1.7.9





More information about the kernel-team mailing list