net/compat: Fix minor information leak in siocdevprivate_ioctl()

We don't need to check that ifr_data itself is a valid user pointer,
but we should check &ifr_data is.  Thankfully the copy of ifr_name is
checked, so this can only leak a few bytes from immediately above the
user address limit.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

diff --git a/net/socket.c b/net/socket.c
index c226aceee65b8b8c59d93d6a133a04c86177ceef..fbb6ec13b1f4d8a668e432830f0d585839299128 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -3015,19 +3015,16 @@ static int siocdevprivate_ioctl(struct net *net, unsigned int cmd,
        if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]),
                           IFNAMSIZ))
                return -EFAULT;
-       if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
+       if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
                return -EFAULT;
        data64 = compat_ptr(data32);
 
        u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64));
 
-       /* Don't check these user accesses, just let that get trapped
-        * in the ioctl handler instead.
-        */
        if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0],
                         IFNAMSIZ))
                return -EFAULT;
-       if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
+       if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
                return -EFAULT;
 
        return dev_ioctl(net, cmd, u_ifreq64);