diff options
author | Corey Minyard <minyard@acm.org> | 2014-01-21 15:48:44 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-21 16:19:42 -0800 |
commit | 4e4f9e66a75921aa260c2f5bf626bdea54e51ba2 (patch) | |
tree | 90c9fe3508062f8056b727aaff577d444f6b55e9 /fs/read_write.c | |
parent | 38316c8ab7f17bc1be8f2898278d5f5131e18bf2 (diff) | |
download | linux-4e4f9e66a75921aa260c2f5bf626bdea54e51ba2.tar.gz linux-4e4f9e66a75921aa260c2f5bf626bdea54e51ba2.tar.bz2 linux-4e4f9e66a75921aa260c2f5bf626bdea54e51ba2.zip |
fs/read_write.c:compat_readv(): remove bogus area verify
The compat_do_readv_writev() function was doing a verify_area on the
incoming iov, but the nr_segs value is not checked. If someone passes
in a -1 for nr_segs, for instance, the function should return an EINVAL.
However, it returns a EFAULT because the verify_area fails because it is
checking an array of size MAX_UINT. The check is bogus, anyway, because
the next check, compat_rw_copy_check_uvector(), will do all the
necessary checking, anyway. The non-compat do_readv_writev() function
doesn't do this check, so I think it's safe to just remove the code.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/read_write.c')
-rw-r--r-- | fs/read_write.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/fs/read_write.c b/fs/read_write.c index 58e440df1bc6..1193ffd03565 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -901,10 +901,6 @@ static ssize_t compat_do_readv_writev(int type, struct file *file, io_fn_t fn; iov_fn_t fnv; - ret = -EFAULT; - if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) - goto out; - ret = compat_rw_copy_check_uvector(type, uvector, nr_segs, UIO_FASTIOV, iovstack, &iov); if (ret <= 0) |