From: Jan Harkes <jaharkes@cs.cmu.edu>
To: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Cc: Bryan Fulton <bryan@coverity.com>,
linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>
Subject: Re: [Coverity] Untrusted user data in kernel
Date: Wed, 5 Jan 2005 10:09:30 -0500 [thread overview]
Message-ID: <20050105150930.GK28521@delft.aura.cs.cmu.edu> (raw)
In-Reply-To: <20050105120423.GA13662@logos.cnet>
On Wed, Jan 05, 2005 at 10:04:23AM -0200, Marcelo Tosatti wrote:
> On Thu, Dec 16, 2004 at 05:33:32PM -0800, Bryan Fulton wrote:
> Correct, fix for both v2.4 and v2.6 attached. Adds bound checking:
>
> Jan Harkes, please check correctness so we can apply it.
I was looking at this and actually think that both in_size and out_size
should just be changed to unsigned short instead of signed short (the
values should never be negative, period).
That fixes the bounds checking on the in_size, but the out_size one is
still questionable. I'm not even sure the code is actually testing the
right thing there.
> --- linux-2.6.10-rc3/fs/coda/upcall.c.orig 2005-01-05 10:30:24.575445152 -0200
> +++ linux-2.6.10-rc3/fs/coda/upcall.c 2005-01-05 10:30:26.623133856 -0200
> @@ -550,10 +550,15 @@
> UPARG(CODA_IOCTL);
>
> /* build packet for Venus */
> - if (data->vi.in_size > VC_MAXDATASIZE) {
> + if (data->vi.in_size > VC_MAXDATASIZE || data->vi.in_size < 0) {
> error = -EINVAL;
> goto exit;
> - }
> + }
This part would work, but changing to the variable to unsigned short
in include/linux/coda.h works just as well.
> + if (data->vi.out_size > VC_MAXDATASIZE || data->vi.out_size < 0) {
> + error = -EINVAL;
> + goto exit;
> + }
We might be overwriting out_size when making the upcall to venus, so
checking out_size here probably doesn't help all that much. I'm still
looking at what exactly is going on with that. I should have a patch by
the end of the week.
Jan
next prev parent reply other threads:[~2005-01-05 15:12 UTC|newest]
Thread overview: 242+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-17 1:33 [Coverity] Untrusted user data in kernel Bryan Fulton
2004-12-17 5:15 ` James Morris
2004-12-17 5:15 ` James Morris
2004-12-17 5:25 ` Patrick McHardy
2004-12-17 6:45 ` James Morris
2004-12-17 6:45 ` James Morris
2004-12-17 13:18 ` Tomas Carnecky
2004-12-17 19:16 ` David S. Miller
2004-12-17 19:16 ` David S. Miller
2004-12-17 19:34 ` Tomas Carnecky
2004-12-17 19:30 ` David S. Miller
2004-12-17 19:30 ` David S. Miller
2004-12-17 15:47 ` Bill Davidsen
2004-12-17 16:11 ` linux-os
2004-12-17 16:31 ` Oliver Neukum
2004-12-17 18:37 ` Bill Davidsen
2004-12-17 19:18 ` Tomas Carnecky
2004-12-17 19:30 ` Oliver Neukum
2004-12-17 19:39 ` Tomas Carnecky
2004-12-18 1:42 ` Horst von Brand
2004-12-17 15:10 ` Pavel Machek
2004-12-17 15:38 ` James Morris
2005-01-05 12:04 ` Marcelo Tosatti
2005-01-05 15:09 ` Jan Harkes [this message]
2005-01-05 23:17 ` Nathan Scott
[not found] ` <20050105161653.GF13455@fi.muni.cz>
[not found] ` <20050105140549.GA14622@logos.cnet>
2005-01-06 9:18 ` Jan Kasprzak
2005-01-06 14:48 ` Paulo Marques
2005-01-06 16:29 ` Alan Cox
2005-01-07 21:49 ` [PATCH 2.4.29-pre3-bk4] fs/coda " Jan Harkes
2005-01-07 21:54 ` [PATCH 2.6.10-mm2] " Jan Harkes
-- strict thread matches above, loose matches on Subject: below --
2004-12-02 0:04 What if? Imanpreet Singh Arora
2004-12-02 4:40 ` Theodore Ts'o
2004-12-02 6:39 ` Norbert van Nobelen
2004-12-02 8:24 ` James Bruce
2004-12-02 20:25 ` Theodore Ts'o
2004-12-03 2:23 ` David Schwartz
2004-12-02 8:33 ` J.A. Magallon
2004-12-02 10:46 ` Bernd Petrovitsch
2004-12-02 10:56 ` Pawel Sikora
2004-12-13 15:23 ` H. Peter Anvin
2004-12-13 21:08 ` J.A. Magallon
2004-12-16 0:57 ` Alan Cox
2004-12-16 2:44 ` H. Peter Anvin
2004-12-16 13:23 ` Alan Cox
2004-12-16 15:23 ` Geert Uytterhoeven
2004-12-16 20:37 ` H. Peter Anvin
2004-12-16 20:52 ` Jan Engelhardt
2004-12-16 20:56 ` H. Peter Anvin
2004-12-16 21:08 ` Jan Engelhardt
2004-12-02 10:25 ` Jan Engelhardt
2004-12-05 0:23 ` Horst von Brand
2004-12-05 6:21 ` Kyle Moffett
2004-12-05 22:43 ` Horst von Brand
2004-12-06 17:27 ` linux-os
2004-12-06 18:52 ` Horst von Brand
2004-12-02 10:53 ` Bernd Petrovitsch
2004-12-11 8:52 ` Gábor Lénárt
2004-11-04 16:01 Linux-2.6.9 won't allow a write to a NTFS file-system linux-os
2004-11-04 16:48 ` Giuseppe Bilotta
2004-11-04 17:09 ` linux-os
2004-11-04 17:40 ` Giuseppe Bilotta
2004-11-04 17:46 ` Mathieu Segaud
2004-11-04 22:17 ` Anton Altaparmakov
2004-11-04 22:18 ` Anton Altaparmakov
2004-11-04 22:38 ` linux-os
2004-11-05 14:43 ` Rahul Karnik
2004-11-05 1:46 ` Horst von Brand
2004-11-05 12:41 ` linux-os
2004-10-18 22:45 Linux v2.6.9 Linus Torvalds
2004-10-18 23:27 ` Thomas Zehetbauer
2004-10-19 2:54 ` Eric W. Biederman
2004-10-19 16:55 ` Jesper Juhl
2004-10-19 14:36 ` Linux v2.6.9... (compile stats) John Cherry
2004-10-19 16:18 ` Matthew Dharm
2004-10-19 16:49 ` viro
2004-10-19 21:37 ` John Cherry
2004-10-20 22:11 ` John Cherry
2004-10-20 22:41 ` viro
2004-10-21 0:12 ` Linus Torvalds
2004-10-21 0:29 ` Jeff Garzik
2004-10-21 0:44 ` viro
2004-10-21 1:55 ` viro
2004-10-21 1:59 ` Jeff Garzik
2004-10-21 2:24 ` viro
2004-10-21 2:37 ` Jeff Garzik
2004-10-21 4:35 ` viro
2004-10-21 8:57 ` Jeff Garzik
2004-10-20 22:50 ` Dave Jones
2004-10-19 17:38 ` Linux v2.6.9 and GPL Buyout Jeff V. Merkey
2004-10-19 19:13 ` Russell King
2004-10-19 19:04 ` Jeff V. Merkey
2004-10-19 19:24 ` Kurt Wall
2004-10-19 19:12 ` Jeff V. Merkey
2004-10-19 20:01 ` Richard B. Johnson
2004-10-19 20:39 ` Matt Mackall
2004-10-20 0:06 ` Richard B. Johnson
2004-10-20 5:21 ` Matt Mackall
2004-10-19 19:28 ` Andre Hedrick
2004-10-19 19:10 ` Jeff V. Merkey
2004-10-19 19:30 ` Rik van Riel
2004-10-19 19:05 ` Jeff V. Merkey
2004-10-19 20:14 ` Diego Calleja
2004-10-19 19:41 ` Jeff V. Merkey
2004-10-20 8:27 ` Bernd Petrovitsch
2004-10-20 8:45 ` Jens Axboe
2004-10-19 19:47 ` Jeff V. Merkey
2004-10-19 20:05 ` Richard B. Johnson
2004-10-19 19:38 ` Jeff V. Merkey
2004-10-19 20:30 ` Thomas Gleixner
2004-10-19 20:15 ` Jeff V. Merkey
2004-10-22 23:22 ` Tonnerre
2004-10-19 19:45 ` Ross Biro
2004-10-19 19:36 ` Jeff V. Merkey
2004-10-19 19:54 ` David Johnson
2004-10-19 19:55 ` viro
2004-10-19 19:25 ` Jeff V. Merkey
2004-10-19 20:38 ` Dax Kelson
2004-10-19 20:09 ` Jeff V. Merkey
2004-10-19 22:16 ` Jim Nelson
2004-10-19 22:57 ` Bernd Petrovitsch
2004-10-19 22:27 ` Scott Robert Ladd
2004-10-20 19:41 ` Bill Davidsen
2004-10-20 1:15 ` Horst von Brand
2004-10-20 1:16 ` Bastiaan Spandaw
2004-10-20 19:35 ` Bill Davidsen
2004-10-20 3:45 ` Ryan Anderson
2004-10-20 4:18 ` Lee Revell
2004-10-20 4:41 ` Lee Revell
2004-10-20 11:49 ` Richard B. Johnson
2004-10-29 12:12 ` Semaphore assembly-code bug linux-os
2004-10-29 14:46 ` Linus Torvalds
2004-10-29 15:11 ` Andi Kleen
2004-10-29 18:18 ` Linus Torvalds
2004-10-29 18:35 ` Richard Henderson
2004-10-29 16:06 ` Andreas Steinmetz
2004-10-29 17:08 ` linux-os
2004-10-29 18:06 ` Linus Torvalds
2004-10-29 18:39 ` linux-os
2004-10-29 19:12 ` Linus Torvalds
2004-11-01 1:31 ` linux-os
2004-11-01 5:49 ` Linus Torvalds
2004-11-01 20:23 ` dean gaudet
2004-11-01 20:52 ` linux-os
2004-11-01 21:23 ` dean gaudet
2004-11-01 22:22 ` linux-os
2004-11-01 21:40 ` Linus Torvalds
2004-11-01 21:46 ` Linus Torvalds
2004-11-02 15:02 ` linux-os
2004-11-02 16:02 ` Linus Torvalds
2004-11-02 16:06 ` Linus Torvalds
2004-11-02 16:51 ` linux-os
2004-11-01 22:16 ` linux-os
2004-11-01 22:26 ` Linus Torvalds
2004-11-01 23:14 ` linux-os
2004-11-01 23:42 ` Linus Torvalds
2004-11-03 1:52 ` Horst von Brand
2004-11-03 21:24 ` Bill Davidsen
2004-11-02 6:37 ` Chris Friesen
2004-10-29 18:58 ` Andreas Steinmetz
2004-10-29 19:15 ` Linus Torvalds
2004-10-29 19:40 ` Andreas Steinmetz
2004-10-29 19:56 ` Linus Torvalds
2004-10-29 22:07 ` Jeff Garzik
2004-10-29 23:50 ` dean gaudet
2004-10-30 0:15 ` Linus Torvalds
2004-10-29 23:37 ` dean gaudet
2004-10-29 17:22 ` linux-os
2004-10-29 17:55 ` Richard Henderson
2004-10-29 18:17 ` linux-os
2004-10-29 18:42 ` Linus Torvalds
2004-10-29 18:54 ` Linus Torvalds
2004-10-30 3:35 ` Jeff Garzik
2004-10-29 19:20 ` Linus Torvalds
2004-10-29 19:26 ` Linus Torvalds
2004-10-29 21:03 ` Linus Torvalds
2004-10-29 17:57 ` Richard Henderson
2004-10-29 18:37 ` Gabriel Paubert
2004-10-20 5:58 ` Linux v2.6.9 and GPL Buyout John Alvord
2004-10-20 14:42 ` Martin Waitz
2004-10-21 23:59 ` Kelledin
2004-10-22 8:46 ` Bernd Petrovitsch
2004-10-22 9:07 ` David Weinehall
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-22 17:52 ` Al Viro
2004-10-22 17:22 ` Jeff V. Merkey
2004-10-22 19:37 ` Jeff V. Merkey
2004-10-22 20:46 ` Grahame White
2004-10-22 20:58 ` Buddy Lucas
2004-10-22 21:00 ` Richard B. Johnson
2004-10-22 21:03 ` Thomas Gleixner
2004-10-23 12:33 ` Bernd Petrovitsch
2004-10-24 14:15 ` Kai Henningsen
2004-10-27 1:45 ` Horst von Brand
2004-10-24 11:00 ` Matthias Andree
2004-10-24 14:13 ` Kai Henningsen
2004-10-25 18:44 ` Bill Davidsen
2004-10-20 19:46 ` Bill Davidsen
2004-10-19 21:02 ` Pekka Pietikainen
2004-10-19 20:27 ` Jeff V. Merkey
2004-10-22 6:54 ` Erik Andersen
2004-10-22 16:12 ` Jeff V. Merkey
2004-10-19 21:17 ` Paul Fulghum
2004-10-20 20:41 ` Geert Uytterhoeven
2004-10-23 13:43 ` James Bruce
2004-10-19 21:26 ` Ramón Rey Vicente
2004-10-19 22:52 ` Buddy Lucas
2004-10-20 23:43 ` Eric Bambach
2004-10-20 23:48 ` Eric Bambach
2004-10-20 23:59 ` Hua Zhong
2004-10-21 0:13 ` Russell Miller
2004-10-21 0:18 ` Adam Heath
2004-10-21 10:16 ` Horst von Brand
2004-10-22 8:48 ` Ingo Molnar
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-23 0:14 ` Jon Masters
2004-10-22 23:46 ` Jeff V. Merkey
2004-10-23 0:57 ` Jon Masters
2004-10-23 4:42 ` Jeff V. Merkey
2004-10-23 6:32 ` Nick Piggin
[not found] ` <20041023064538.GA7866@galt.devicelogics.com>
2004-10-23 7:20 ` Jeff V. Merkey
2004-10-23 10:11 ` Gene Heskett
2004-10-23 16:28 ` Linus Torvalds
2004-10-24 2:48 ` Jesper Juhl
2004-10-24 5:11 ` Jeff V. Merkey
2004-10-24 11:14 ` Jon Masters
2004-10-24 11:50 ` Jim Nelson
2004-10-24 15:35 ` Ingo Molnar
2004-10-24 15:53 ` Bernd Petrovitsch
2004-10-31 23:14 ` Jan 'JaSan' Sarenik
2004-10-24 2:11 ` Buddy Lucas
2004-10-23 0:38 ` Lee Revell
2004-10-23 0:07 ` Jeff V. Merkey
2004-10-23 1:06 ` Lee Revell
2004-10-21 2:41 ` Linux v2.6.9 (Strange tty problem?) Paul
2004-10-21 9:07 ` Alan Cox
2004-10-21 12:39 ` Russell King
2004-10-21 13:20 ` Paul Fulghum
2004-10-21 15:37 ` Alan Cox
2004-10-21 17:00 ` Paul Fulghum
2004-10-21 15:47 ` Paul Fulghum
2004-10-21 18:12 ` Paul Fulghum
2004-10-31 21:11 ` Linux v2.6.9 dies when starting X on radeon 9200 SE PCI Helge Hafting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050105150930.GK28521@delft.aura.cs.cmu.edu \
--to=jaharkes@cs.cmu.edu \
--cc=akpm@osdl.org \
--cc=bryan@coverity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.