fs/read_write.c:compat_readv(): remove bogus area verify
The compat_do_readv_writev() function was doing a verify_area on the incoming iov, but the nr_segs value is not checked. If someone passes in a -1 for nr_segs, for instance, the function should return an EINVAL. However, it returns a EFAULT because the verify_area fails because it is checking an array of size MAX_UINT. The check is bogus, anyway, because the next check, compat_rw_copy_check_uvector(), will do all the necessary checking, anyway. The non-compat do_readv_writev() function doesn't do this check, so I think it's safe to just remove the code. Signed-off-by: Corey Minyard <cminyard@mvista.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
38316c8ab7
commit
4e4f9e66a7
|
@ -901,10 +901,6 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
|
|||
io_fn_t fn;
|
||||
iov_fn_t fnv;
|
||||
|
||||
ret = -EFAULT;
|
||||
if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
|
||||
goto out;
|
||||
|
||||
ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
|
||||
UIO_FASTIOV, iovstack, &iov);
|
||||
if (ret <= 0)
|
||||
|
|
Loading…
Reference in New Issue