From: Dawson Engler <engler@csl.Stanford.EDU>
To: linux-kernel@vger.kernel.org
Subject: [CHECKER] security rules? (and 2.4.5-ac4 security bug)
Date: Sun, 3 Jun 2001 01:07:37 -0700 (PDT) [thread overview]
Message-ID: <200106030807.BAA02597@csl.Stanford.EDU> (raw)
Hi All,
Enclosed is a potential security hole in 2.4.5-ac where an integer from
user space is used as a length argument to copy_to_user.
Additionally, do people have suggestions for good security rules?
We're looking to expand our security checkers. Right now we just have
checkers that warn when:
1. user pointers are dereferenced
2. an integer from user space is used as a length argument to
copy*user or as an array index. (this is getting extended
to include data from network packets)
3. user input can trigger a known bug (e.g., the failed release of
a lock, or a copy_*_user call with interrupts disabled).
more preliminary:
(4) a checker that derives when you're supposed to
do an capable? call and warns when you don't.
(5) checkers to find typical format string bugs.
I'm sure there are a huge set of security holes that are not covered by
these sorts of checks, so if anyone has suggestions, please let us know.
Dawson
PS Someone from world.std.com (I believe) sent a nice rule yesterday,
but I accidently deleted the message --- could you please resend?
[BUG]
/u2/engler/mc/oses/linux/2.4.5-ac4/drivers/char/random.c:1813:uuid_strategy: ERROR:RANGE:1809:1813: Using user length "len" as argument to "copy_to_user" [type=LOCAL] set by 'get_user':1813
uuid[8] = 0;
}
if (uuid[8] == 0)
generate_random_uuid(uuid);
Start --->
get_user(len, oldlenp);
if (len) {
if (len > 16)
len = 16;
Error --->
if (copy_to_user(oldval, table->data, len))
return -EFAULT;
if (put_user(len, oldlenp))
return -EFAULT;
next reply other threads:[~2001-06-03 8:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-03 8:07 Dawson Engler [this message]
2001-06-03 11:22 ` [CHECKER] security rules? (and 2.4.5-ac4 security bug) Alan Cox
2001-06-08 11:24 ` Florian Weimer
2001-06-04 12:20 Hank Leininger
2001-06-09 18:07 ` Theodore Tso
2001-06-10 2:13 ` Dawson Engler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200106030807.BAA02597@csl.Stanford.EDU \
--to=engler@csl.stanford.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).