Re: [PATCH] USB: serial: fix invalid user-pointer checks

[Oliver Neukum]

On Tue, 2016-11-08 at 16:41 +0100, Johan Hovold wrote:
> On Tue, Nov 08, 2016 at 03:13:13PM +0100, Oliver Neukum wrote:
> > On Tue, 2016-11-08 at 13:26 +0100, Johan Hovold wrote:
> > > Drop invalid user-pointer checks from ioctl handlers.
> > > 
> > > A NULL-pointer can be valid in user space and copy_to_user() takes
> > > care
> > > of sanity checking.
> > 
> > Shouldn't we bail out early in these cases?
> 
> I don't think it's worth it, and this is also the general pattern for
> such ioctls. The added overhead for an error case like this is really
> negligible.

OK, as you say.

Regards
Oliver


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] USB: serial: fix invalid user-pointer checks

[Johan Hovold]

On Wed, Nov 09, 2016 at 11:58:31AM +0100, Oliver Neukum wrote:
> On Tue, 2016-11-08 at 16:41 +0100, Johan Hovold wrote:
> > On Tue, Nov 08, 2016 at 03:13:13PM +0100, Oliver Neukum wrote:
> > > On Tue, 2016-11-08 at 13:26 +0100, Johan Hovold wrote:
> > > > Drop invalid user-pointer checks from ioctl handlers.
> > > > 
> > > > A NULL-pointer can be valid in user space and copy_to_user() takes
> > > > care
> > > > of sanity checking.
> > > 
> > > Shouldn't we bail out early in these cases?
> > 
> > I don't think it's worth it, and this is also the general pattern for
> > such ioctls. The added overhead for an error case like this is really
> > negligible.
> 
> OK, as you say.

Also remember that access_ok() is not a sufficient sanity check, and
would specifically fail to catch the NULL-pointer case.

Thanks,
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] USB: serial: fix invalid user-pointer checks

[Johan Hovold]

On Tue, Nov 08, 2016 at 03:13:13PM +0100, Oliver Neukum wrote:
> On Tue, 2016-11-08 at 13:26 +0100, Johan Hovold wrote:
> > Drop invalid user-pointer checks from ioctl handlers.
> > 
> > A NULL-pointer can be valid in user space and copy_to_user() takes
> > care
> > of sanity checking.
> 
> Shouldn't we bail out early in these cases?

I don't think it's worth it, and this is also the general pattern for
such ioctls. The added overhead for an error case like this is really
negligible.

Thanks,
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] USB: serial: fix invalid user-pointer checks

[Oliver Neukum]

On Tue, 2016-11-08 at 13:26 +0100, Johan Hovold wrote:
> Drop invalid user-pointer checks from ioctl handlers.
> 
> A NULL-pointer can be valid in user space and copy_to_user() takes
> care
> of sanity checking.

Shouldn't we bail out early in these cases?

Regards
Oliver


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] USB: serial: fix invalid user-pointer checks

[Johan Hovold]

Drop invalid user-pointer checks from ioctl handlers.

A NULL-pointer can be valid in user space and copy_to_user() takes care
of sanity checking.

Signed-off-by: Johan Hovold 
---
 drivers/usb/serial/ftdi_sio.c | 5 -
 drivers/usb/serial/io_edgeport.c  | 3 ---
 drivers/usb/serial/io_ti.c| 3 ---
 drivers/usb/serial/mos7720.c  | 3 ---
 drivers/usb/serial/mos7840.c  | 3 ---
 drivers/usb/serial/opticon.c  | 3 ---
 drivers/usb/serial/quatech2.c | 3 ---
 drivers/usb/serial/ssu100.c   | 3 ---
 drivers/usb/serial/ti_usb_3410_5052.c | 3 ---
 drivers/usb/serial/usb_wwan.c | 3 ---
 10 files changed, 32 deletions(-)

diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 6e9fc8bcc285..23d14b98ae2a 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1455,8 +1455,6 @@ static int get_serial_info(struct usb_serial_port *port,
struct ftdi_private *priv = usb_get_serial_port_data(port);
struct serial_struct tmp;
 
-   if (!retinfo)
-   return -EFAULT;
memset(, 0, sizeof(tmp));
tmp.flags = priv->flags;
tmp.baud_base = priv->baud_base;
@@ -1538,9 +1536,6 @@ static int get_lsr_info(struct usb_serial_port *port,
struct ftdi_private *priv = usb_get_serial_port_data(port);
unsigned int result = 0;
 
-   if (!retinfo)
-   return -EFAULT;
-
if (priv->transmit_empty)
result = TIOCSER_TEMT;
 
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 11c05ce2f35f..dcc0c58aaad5 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -1554,9 +1554,6 @@ static int get_serial_info(struct edgeport_port 
*edge_port,
 {
struct serial_struct tmp;
 
-   if (!retinfo)
-   return -EFAULT;
-
memset(, 0, sizeof(tmp));
 
tmp.type= PORT_16550A;
diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index fce82fd79f77..c339163698eb 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2459,9 +2459,6 @@ static int get_serial_info(struct edgeport_port 
*edge_port,
struct serial_struct tmp;
unsigned cwait;
 
-   if (!retinfo)
-   return -EFAULT;
-
cwait = edge_port->port->port.closing_wait;
if (cwait != ASYNC_CLOSING_WAIT_NONE)
cwait = jiffies_to_msecs(cwait) / 10;
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index de9992b492b0..d52caa03679c 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1861,9 +1861,6 @@ static int get_serial_info(struct moschip_port 
*mos7720_port,
 {
struct serial_struct tmp;
 
-   if (!retinfo)
-   return -EFAULT;
-
memset(, 0, sizeof(tmp));
 
tmp.type= PORT_16550A;
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 57426d703a09..9a220b8e810f 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1956,9 +1956,6 @@ static int mos7840_get_serial_info(struct moschip_port 
*mos7840_port,
if (mos7840_port == NULL)
return -1;
 
-   if (!retinfo)
-   return -EFAULT;
-
memset(, 0, sizeof(tmp));
 
tmp.type = PORT_16550A;
diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
index 4b7bfb394a32..5ded6f524d59 100644
--- a/drivers/usb/serial/opticon.c
+++ b/drivers/usb/serial/opticon.c
@@ -336,9 +336,6 @@ static int get_serial_info(struct usb_serial_port *port,
 {
struct serial_struct tmp;
 
-   if (!serial)
-   return -EFAULT;
-
memset(, 0x00, sizeof(tmp));
 
/* fake emulate a 16550 uart to make userspace code happy */
diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c
index 85acb50a7ee2..659cb8606bd9 100644
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -463,9 +463,6 @@ static int get_serial_info(struct usb_serial_port *port,
 {
struct serial_struct tmp;
 
-   if (!retinfo)
-   return -EFAULT;
-
memset(, 0, sizeof(tmp));
tmp.line= port->minor;
tmp.port= 0;
diff --git a/drivers/usb/serial/ssu100.c b/drivers/usb/serial/ssu100.c
index 70a098de429f..2a156144c76c 100644
--- a/drivers/usb/serial/ssu100.c
+++ b/drivers/usb/serial/ssu100.c
@@ -318,9 +318,6 @@ static int get_serial_info(struct usb_serial_port *port,
 {
struct serial_struct tmp;
 
-   if (!retinfo)
-   return -EFAULT;
-
memset(, 0, sizeof(tmp));
tmp.line= port->minor;
tmp.port= 0;
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c 
b/drivers/usb/serial/ti_usb_3410_5052.c
index a8b9bdba314f..8db9d071d940 100644
---