| From f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe Mon Sep 17 00:00:00 2001 |
| From: Alan Stern <stern@rowland.harvard.edu> |
| Date: Thu, 19 Nov 2020 12:02:28 -0500 |
| Subject: USB: core: Change %pK for __user pointers to %px |
| |
| From: Alan Stern <stern@rowland.harvard.edu> |
| |
| commit f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe upstream. |
| |
| Commit 2f964780c03b ("USB: core: replace %p with %pK") used the %pK |
| format specifier for a bunch of __user pointers. But as the 'K' in |
| the specifier indicates, it is meant for kernel pointers. The reason |
| for the %pK specifier is to avoid leaks of kernel addresses, but when |
| the pointer is to an address in userspace the security implications |
| are minimal. In particular, no kernel information is leaked. |
| |
| This patch changes the __user %pK specifiers (used in a bunch of |
| debugging output lines) to %px, which will always print the actual |
| address with no mangling. (Notably, there is no printk format |
| specifier particularly intended for __user pointers.) |
| |
| Fixes: 2f964780c03b ("USB: core: replace %p with %pK") |
| CC: Vamsi Krishna Samavedam <vskrishn@codeaurora.org> |
| CC: <stable@vger.kernel.org> |
| Signed-off-by: Alan Stern <stern@rowland.harvard.edu> |
| Link: https://lore.kernel.org/r/20201119170228.GB576844@rowland.harvard.edu |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/core/devio.c | 14 +++++++------- |
| 1 file changed, 7 insertions(+), 7 deletions(-) |
| |
| --- a/drivers/usb/core/devio.c |
| +++ b/drivers/usb/core/devio.c |
| @@ -482,11 +482,11 @@ static void snoop_urb(struct usb_device |
| |
| if (userurb) { /* Async */ |
| if (when == SUBMIT) |
| - dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " |
| + dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " |
| "length %u\n", |
| userurb, ep, t, d, length); |
| else |
| - dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " |
| + dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " |
| "actual_length %u status %d\n", |
| userurb, ep, t, d, length, |
| timeout_or_status); |
| @@ -1992,7 +1992,7 @@ static int proc_reapurb(struct usb_dev_s |
| if (as) { |
| int retval; |
| |
| - snoop(&ps->dev->dev, "reap %pK\n", as->userurb); |
| + snoop(&ps->dev->dev, "reap %px\n", as->userurb); |
| retval = processcompl(as, (void __user * __user *)arg); |
| free_async(as); |
| return retval; |
| @@ -2009,7 +2009,7 @@ static int proc_reapurbnonblock(struct u |
| |
| as = async_getcompleted(ps); |
| if (as) { |
| - snoop(&ps->dev->dev, "reap %pK\n", as->userurb); |
| + snoop(&ps->dev->dev, "reap %px\n", as->userurb); |
| retval = processcompl(as, (void __user * __user *)arg); |
| free_async(as); |
| } else { |
| @@ -2139,7 +2139,7 @@ static int proc_reapurb_compat(struct us |
| if (as) { |
| int retval; |
| |
| - snoop(&ps->dev->dev, "reap %pK\n", as->userurb); |
| + snoop(&ps->dev->dev, "reap %px\n", as->userurb); |
| retval = processcompl_compat(as, (void __user * __user *)arg); |
| free_async(as); |
| return retval; |
| @@ -2156,7 +2156,7 @@ static int proc_reapurbnonblock_compat(s |
| |
| as = async_getcompleted(ps); |
| if (as) { |
| - snoop(&ps->dev->dev, "reap %pK\n", as->userurb); |
| + snoop(&ps->dev->dev, "reap %px\n", as->userurb); |
| retval = processcompl_compat(as, (void __user * __user *)arg); |
| free_async(as); |
| } else { |
| @@ -2621,7 +2621,7 @@ static long usbdev_do_ioctl(struct file |
| #endif |
| |
| case USBDEVFS_DISCARDURB: |
| - snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p); |
| + snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p); |
| ret = proc_unlinkurb(ps, p); |
| break; |
| |