linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Junfeng Yang <yjf@stanford.edu>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Chris Wright <chris@wirex.com>,
	mc@cs.stanford.edu
Subject: Re: [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel
Date: 28 Apr 2003 13:49:17 +0100	[thread overview]
Message-ID: <1051534156.16805.13.camel@dhcp22.swansea.linux.org.uk> (raw)
In-Reply-To: <Pine.GSO.4.44.0304272346550.15342-100000@elaine24.Stanford.EDU>

On Llu, 2003-04-28 at 07:50, Junfeng Yang wrote:
> /home/junfeng/linux-tainted/drivers/usb/media/vicam.c:617:vicam_ioctl:
> ERROR:TAINTED:617:617: dereferencing tainted ptr 'vp' [Callstack:
> /home/junfeng/linux-tainted/drivers/scsi/sg.c:1002:vicam_ioctl((tainted
> 3))]
> 
> 			struct video_picture *vp = (struct video_picture
> *) arg;
> 
> 			DBG("VIDIOCSPICT depth = %d, pal = %d\n",
> vp->depth,
> 			    vp->palette);
> 
> 
> Error --->

Correct report. Fixed in 2.4.21-ac now

> /home/junfeng/linux-tainted/drivers/video/sis/sis_main.c:2476:sisfb_ioctl:
> ERROR:TAINTED:2476:2476: dereferencing tainted ptr 'x' [Callstack:
> /home/junfeng/linux-tainted/drivers/video/sstfb.c:808:sisfb_ioctl((tainted
> 3))]
> 

Correct - already fixed in 2.4.21-ac

> ---------------------------------------------------------
> [BUG] can write to anywhere in kernel. do_read is assigned to
> file_operations.read, which can take tainted inputs. even the parm itself
> has a name pUserBuffer
> 
> /home/junfeng/linux-tainted/drivers/isdn/eicon/linchr.c:166:do_read:
> ERROR:TAINTED:166:166: passing tainted ptr 'pClientLogBuffer' to
> __constant_memcpy [Callstack:
> /home/junfeng/linux-tainted/drivers/scsi/sg.c:362:do_read((tainted 1))]
> 
> 
> 	pHeadItem = (klog_t *) DivasLogFifoRead();
> 
Correct - fixed in 2.4.21-ac now

> [BUG] can write to anywhere in kernel. in the same subdir,
> midi_synth.c:midi_synth_ioctl does __copy_to_user(not copy_to_user?). it
> could be that there are some assumptions about the devices.
> 
> /home/junfeng/linux-tainted/sound/oss/mpu401.c:792:mpu_synth_ioctl:
> ERROR:TAINTED:792:792: passing tainted ptr 'arg' to __constant_memcpy
> [Callstack:
> /home/junfeng/linux-tainted/sound/oss/midi_synth.c:270:mpu_synth_ioctl((tainted
> 2))]

The verify is done in soundcard.c
Fixed mpu_synth_ioctl in 2.4.21-ac

> [BUG] can write to anywhere in kernel. mdc800_device_read is assigned to
> file_operations.read, which can take tainted inputs
> 
> /home/junfeng/linux-tainted/drivers/usb/image/mdc800.c:750:mdc800_device_read:
> ERROR:TAINTED:750:750: passing tainted ptr 'ptr' to __memcpy [Callstack:
> /home/junfeng/linux-tainted/drivers/scsi/sg.c:362:mdc800_device_read((tainted
> 1))]

Correct. Fixed in 2.4.21-ac


> [BUG] can write to anywhere in kernel. file_operations.write
> 
> /home/junfeng/linux-tainted/drivers/usb/image/mdc800.c:805:mdc800_device_write:
> ERROR:TAINTED:805:805: dereferencing tainted ptr 'buf + i' [Callstack:
> /home/junfeng/linux-tainted/drivers/media/dvb/av7110/av7110.c:3858:mdc800_device_write((tainted
> 1))]

Correct, fixed in 2.4.21-ac


> [BUG] can write to anywhere in kernel. awe_ioctl is assigned to
> file_operations.ioctl
> 
> /home/junfeng/linux-tainted/sound/oss/awe_wave.c:2049:awe_ioctl:
> ERROR:TAINTED:2049:2049: passing tainted ptr 'arg' to __constant_memcpy
> [Callstack:
> /home/junfeng/linux-tainted/sound/oss/midi_synth.c:270:awe_ioctl((tainted
> 2))]
> 
> 	case SNDCTL_SYNTH_INFO:
> 		if (playing_mode == AWE_PLAY_DIRECT)
> 			awe_info.nr_voices = awe_max_voices;
> 		else
> 			awe_info.nr_voices = AWE_MAX_CHANNELS;
> 
> Error --->
> 		memcpy((char*)arg, &awe_info, sizeof(awe_info));

Already fixed in 2.4, but correct report


  reply	other threads:[~2003-04-28 13:35 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21  6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44   ` Chris Wright
2003-03-21 21:58     ` Junfeng Yang
2003-03-21 22:06       ` Chris Wright
2003-03-21 22:08     ` Junfeng Yang
2003-03-21 22:15   ` Chris Wright
2003-03-22 20:49     ` Alan Cox
2003-03-22 20:19       ` Chris Wright
2003-03-21 23:55   ` Chris Wright
2003-03-27  8:07     ` Jan Kasprzak
2003-03-27 17:10       ` Chris Wright
2003-04-21  7:49         ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26           ` Chris Wright
2003-04-26  2:18             ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27  9:26               ` James Morris
2003-04-28  1:55                 ` Junfeng Yang
2003-04-27 20:18               ` Nick Holloway
2003-04-27 21:14                 ` Junfeng Yang
2003-04-27 21:29               ` Junfeng Yang
2003-04-28  6:43               ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29  7:25                 ` Greg KH
2003-04-29  9:14                   ` Junfeng Yang
2003-04-28  6:50               ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49                 ` Alan Cox [this message]
2003-04-28 19:11                   ` Junfeng Yang
2003-04-29  0:02                     ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29  7:26               ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22  0:15   ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22  0:32     ` Greg KH
2003-03-22  0:47       ` Chris Wright
2003-03-22  1:00         ` Greg KH
2003-03-22  0:32   ` Chris Wright
2003-03-23 23:10   ` Junfeng Yang
2003-03-24  0:24     ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35       ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24  0:29     ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24  9:07     ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28   ` Raja R Harinath
2003-03-25  0:44     ` David S. Miller
2003-03-25 18:52       ` Raja R Harinath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1051534156.16805.13.camel@dhcp22.swansea.linux.org.uk \
    --to=alan@lxorguk.ukuu.org.uk \
    --cc=chris@wirex.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mc@cs.stanford.edu \
    --cc=yjf@stanford.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).