* drivers/s390/char/keyboard.c NULL pointer reference
@ 2017-08-03 13:57 sohu0106
2017-08-04 9:26 ` Heiko Carstens
0 siblings, 1 reply; 4+ messages in thread
From: sohu0106 @ 2017-08-03 13:57 UTC (permalink / raw)
To: schwidefsky, heiko.carstens; +Cc: linux-s390, torvalds, linux-kernel
Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
diff --git a/keyboard.c
b/keyboard.c
index ba0e4f9..3ec16b1 100644
--- a/keyboard.c
+++ b/keyboard.c
@@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
int perm;
argp = (void __user *)arg;
+ if( !argp )
+ return -EFAULT;
/*
* To have permissions to do most of the vt ioctls, we either have
https://bugzilla.kernel.org/show_bug.cgi?id=196575
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: drivers/s390/char/keyboard.c NULL pointer reference
2017-08-03 13:57 drivers/s390/char/keyboard.c NULL pointer reference sohu0106
@ 2017-08-04 9:26 ` Heiko Carstens
2017-08-05 1:44 ` sohu0106
0 siblings, 1 reply; 4+ messages in thread
From: Heiko Carstens @ 2017-08-04 9:26 UTC (permalink / raw)
To: sohu0106; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel
On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote:
>
>
> Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
>
>
>
>
> diff --git a/keyboard.c
> b/keyboard.c
> index ba0e4f9..3ec16b1 100644
> --- a/keyboard.c
> +++ b/keyboard.c
> @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
> int perm;
>
> argp = (void __user *)arg;
> + if( !argp )
> + return -EFAULT;
This doesn't make sense as well. All uaccess functions are able to handle
NULL pointers within user space.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re:Re: drivers/s390/char/keyboard.c NULL pointer reference
2017-08-04 9:26 ` Heiko Carstens
@ 2017-08-05 1:44 ` sohu0106
2017-08-05 7:50 ` Heiko Carstens
0 siblings, 1 reply; 4+ messages in thread
From: sohu0106 @ 2017-08-05 1:44 UTC (permalink / raw)
To: Heiko Carstens; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel
I don't understand a bit,My idea is
in userland
fd=open("tty3270",O_RDONLY)
...
ret=ioctl(fd,KDGKBDIACR,NULL)
...
then here
drivers/s390/char/keyboard.c
477
case KDGKBDIACR:
{
struct kbdiacrs __user *a = argp;
struct kbdiacr diacr;
int i;
//a is NULL,a->kb_cnt will crash
if (put_user(kbd->accent_table_size, &a->kb_cnt))
At 2017-08-04 17:26:08, "Heiko Carstens" <heiko.carstens@de.ibm.com> wrote:
>On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote:
>>
>>
>> Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
>>
>>
>>
>>
>> diff --git a/keyboard.c
>> b/keyboard.c
>> index ba0e4f9..3ec16b1 100644
>> --- a/keyboard.c
>> +++ b/keyboard.c
>> @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
>> int perm;
>>
>> argp = (void __user *)arg;
>> + if( !argp )
>> + return -EFAULT;
>
>This doesn't make sense as well. All uaccess functions are able to handle
>NULL pointers within user space.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Re: drivers/s390/char/keyboard.c NULL pointer reference
2017-08-05 1:44 ` sohu0106
@ 2017-08-05 7:50 ` Heiko Carstens
0 siblings, 0 replies; 4+ messages in thread
From: Heiko Carstens @ 2017-08-05 7:50 UTC (permalink / raw)
To: sohu0106; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel
On Sat, Aug 05, 2017 at 09:44:45AM +0800, sohu0106 wrote:
>
>
> I don't understand a bit,My idea is
>
> in userland
>
> fd=open("tty3270",O_RDONLY)
> ...
> ret=ioctl(fd,KDGKBDIACR,NULL)
> ...
>
> then here
> drivers/s390/char/keyboard.c
> 477
> case KDGKBDIACR:
> {
> struct kbdiacrs __user *a = argp;
> struct kbdiacr diacr;
> int i;
>
> //a is NULL,a->kb_cnt will crash
> if (put_user(kbd->accent_table_size, &a->kb_cnt))
a->kb_cnt and &a->kb_cnt is not the same...
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-08-05 7:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-03 13:57 drivers/s390/char/keyboard.c NULL pointer reference sohu0106
2017-08-04 9:26 ` Heiko Carstens
2017-08-05 1:44 ` sohu0106
2017-08-05 7:50 ` Heiko Carstens
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.