From: Greg KH <greg@kroah.com>
To: Junfeng Yang <yjf@stanford.edu>
Cc: linux-kernel@vger.kernel.org, Chris Wright <chris@wirex.com>,
mc@cs.stanford.edu
Subject: Re: [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data
Date: Tue, 29 Apr 2003 00:25:00 -0700 [thread overview]
Message-ID: <20030429072500.GA4616@kroah.com> (raw)
In-Reply-To: <Pine.GSO.4.44.0304272336001.15277-100000@elaine24.Stanford.EDU>
On Sun, Apr 27, 2003 at 11:43:56PM -0700, Junfeng Yang wrote:
>
> ---------------------------------------------------------
> [BUG] buf is tainted. can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/empeg.c:225:empeg_write:
> ERROR:TAINTED:225:225: passing tainted ptr 'buf' to usb_serial_debug_data
> [Callstack:
> /home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:empeg_write((tainted
> 2))]
>
> int bytes_sent = 0;
> int transfer_size;
>
> dbg("%s - port %d", __FUNCTION__, port->number);
>
>
> Error --->
> usb_serial_debug_data (__FILE__, __FUNCTION__, count, buf);
>
> while (count > 0) {
Real problem, I'll fix it.
> ---------------------------------------------------------
> [BUG] can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/ipaq.c:371:ipaq_write:
> ERROR:TAINTED:371:371: passing tainted ptr 'buf' to usb_serial_debug_data
> [Callstack:
> /home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:ipaq_write((tainted
> 2))]
>
> int bytes_sent = 0;
> int transfer_size;
>
> dbg("%s - port %d", __FUNCTION__, port->number);
>
>
> Error --->
> usb_serial_debug_data(__FILE__, __FUNCTION__, count, buf);
Real problem, I'll fix it.
> ---------------------------------------------------------
> [BUG] can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/keyspan.c:328:keyspan_write:
> ERROR:TAINTED:328:328: dereferencing tainted ptr 'buf' [Callstack: ]
>
>
> p_priv = usb_get_serial_port_data(port);
> d_details = p_priv->device_details;
>
> dbg("%s - for port %d (%d chars [%x]), flip=%d",
>
> Error --->
> __FUNCTION__, port->number, count, buf[0], p_priv->out_flip);
Real problem, I'll fix it.
> ---------------------------------------------------------
> [BUG] at least bad programming practice. call usb_serial_debug_data on
> tainted pointer data. it is verified by previous call to copy_*_user.
>
> /home/junfeng/linux-tainted/drivers/usb/serial/io_edgeport.c:1381:edge_write:
> ERROR:TAINTED:1381:1381: passing tainted ptr 'data' to
> usb_serial_debug_data [Callstack: ]
>
> fifo->head += secondhalf;
> // No need to check for wrap since we can not get to end
> of fifo in this part
> }
>
> if (copySize) {
>
> Error --->
> usb_serial_debug_data (__FILE__, __FUNCTION__, copySize,
> data);
Again, a real problem, I'll fix it.
Thanks a lot for finding these, I think these problems are also in
2.4...
greg k-h
next prev parent reply other threads:[~2003-04-29 7:12 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21 6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44 ` Chris Wright
2003-03-21 21:58 ` Junfeng Yang
2003-03-21 22:06 ` Chris Wright
2003-03-21 22:08 ` Junfeng Yang
2003-03-21 22:15 ` Chris Wright
2003-03-22 20:49 ` Alan Cox
2003-03-22 20:19 ` Chris Wright
2003-03-21 23:55 ` Chris Wright
2003-03-27 8:07 ` Jan Kasprzak
2003-03-27 17:10 ` Chris Wright
2003-04-21 7:49 ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26 ` Chris Wright
2003-04-26 2:18 ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27 9:26 ` James Morris
2003-04-28 1:55 ` Junfeng Yang
2003-04-27 20:18 ` Nick Holloway
2003-04-27 21:14 ` Junfeng Yang
2003-04-27 21:29 ` Junfeng Yang
2003-04-28 6:43 ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29 7:25 ` Greg KH [this message]
2003-04-29 9:14 ` Junfeng Yang
2003-04-28 6:50 ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49 ` Alan Cox
2003-04-28 19:11 ` Junfeng Yang
2003-04-29 0:02 ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29 7:26 ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22 0:15 ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22 0:32 ` Greg KH
2003-03-22 0:47 ` Chris Wright
2003-03-22 1:00 ` Greg KH
2003-03-22 0:32 ` Chris Wright
2003-03-23 23:10 ` Junfeng Yang
2003-03-24 0:24 ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35 ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24 0:29 ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24 9:07 ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28 ` Raja R Harinath
2003-03-25 0:44 ` David S. Miller
2003-03-25 18:52 ` Raja R Harinath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030429072500.GA4616@kroah.com \
--to=greg@kroah.com \
--cc=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=yjf@stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).