From: Junfeng Yang <yjf@stanford.edu>
To: linux-kernel@vger.kernel.org, Chris Wright <chris@wirex.com>
Cc: mc@cs.stanford.edu
Subject: [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data
Date: Sun, 27 Apr 2003 23:43:56 -0700 (PDT) [thread overview]
Message-ID: <Pine.GSO.4.44.0304272336001.15277-100000@elaine24.Stanford.EDU> (raw)
In-Reply-To: <Pine.GSO.4.44.0304251855390.21961-100000@elaine24.Stanford.EDU>
Hi,
I classfied the errors in my previous report. Here are 3 errors that allow
a malicious user to print out arbitrary kernel data. (the 4th error is at
least bad programming practice.)
All of them are in usb/serial.
Any replies will be appreciated.
---------------------------------------------------------
[BUG] buf is tainted. can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/empeg.c:225:empeg_write:
ERROR:TAINTED:225:225: passing tainted ptr 'buf' to usb_serial_debug_data
[Callstack:
/home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:empeg_write((tainted
2))]
int bytes_sent = 0;
int transfer_size;
dbg("%s - port %d", __FUNCTION__, port->number);
Error --->
usb_serial_debug_data (__FILE__, __FUNCTION__, count, buf);
while (count > 0) {
---------------------------------------------------------
[BUG] can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/ipaq.c:371:ipaq_write:
ERROR:TAINTED:371:371: passing tainted ptr 'buf' to usb_serial_debug_data
[Callstack:
/home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:ipaq_write((tainted
2))]
int bytes_sent = 0;
int transfer_size;
dbg("%s - port %d", __FUNCTION__, port->number);
Error --->
usb_serial_debug_data(__FILE__, __FUNCTION__, count, buf);
while (count > 0) {
transfer_size = min(count, PACKET_SIZE);
---------------------------------------------------------
[BUG] can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/keyspan.c:328:keyspan_write:
ERROR:TAINTED:328:328: dereferencing tainted ptr 'buf' [Callstack: ]
p_priv = usb_get_serial_port_data(port);
d_details = p_priv->device_details;
dbg("%s - for port %d (%d chars [%x]), flip=%d",
Error --->
__FUNCTION__, port->number, count, buf[0], p_priv->out_flip);
for (left = count; left > 0; left -= todo) {
todo = left;
---------------------------------------------------------
[BUG] at least bad programming practice. call usb_serial_debug_data on
tainted pointer data. it is verified by previous call to copy_*_user.
/home/junfeng/linux-tainted/drivers/usb/serial/io_edgeport.c:1381:edge_write:
ERROR:TAINTED:1381:1381: passing tainted ptr 'data' to
usb_serial_debug_data [Callstack: ]
fifo->head += secondhalf;
// No need to check for wrap since we can not get to end
of fifo in this part
}
if (copySize) {
Error --->
usb_serial_debug_data (__FILE__, __FUNCTION__, copySize,
data);
}
send_more_port_data((struct edgeport_serial
*)usb_get_serial_data(port->serial), edge_port);
next prev parent reply other threads:[~2003-04-28 6:31 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21 6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44 ` Chris Wright
2003-03-21 21:58 ` Junfeng Yang
2003-03-21 22:06 ` Chris Wright
2003-03-21 22:08 ` Junfeng Yang
2003-03-21 22:15 ` Chris Wright
2003-03-22 20:49 ` Alan Cox
2003-03-22 20:19 ` Chris Wright
2003-03-21 23:55 ` Chris Wright
2003-03-27 8:07 ` Jan Kasprzak
2003-03-27 17:10 ` Chris Wright
2003-04-21 7:49 ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26 ` Chris Wright
2003-04-26 2:18 ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27 9:26 ` James Morris
2003-04-28 1:55 ` Junfeng Yang
2003-04-27 20:18 ` Nick Holloway
2003-04-27 21:14 ` Junfeng Yang
2003-04-27 21:29 ` Junfeng Yang
2003-04-28 6:43 ` Junfeng Yang [this message]
2003-04-29 7:25 ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Greg KH
2003-04-29 9:14 ` Junfeng Yang
2003-04-28 6:50 ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49 ` Alan Cox
2003-04-28 19:11 ` Junfeng Yang
2003-04-29 0:02 ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29 7:26 ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22 0:15 ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22 0:32 ` Greg KH
2003-03-22 0:47 ` Chris Wright
2003-03-22 1:00 ` Greg KH
2003-03-22 0:32 ` Chris Wright
2003-03-23 23:10 ` Junfeng Yang
2003-03-24 0:24 ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35 ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24 0:29 ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24 9:07 ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28 ` Raja R Harinath
2003-03-25 0:44 ` David S. Miller
2003-03-25 18:52 ` Raja R Harinath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.GSO.4.44.0304272336001.15277-100000@elaine24.Stanford.EDU \
--to=yjf@stanford.edu \
--cc=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).