linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Chris Wright <chris@wirex.com>
To: Junfeng Yang <yjf@stanford.edu>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu, kas@fi.muni.cz
Subject: Re: [CHECKER] potential dereference of user pointer errors
Date: Fri, 21 Mar 2003 15:55:47 -0800	[thread overview]
Message-ID: <20030321155547.C646@figure1.int.wirex.com> (raw)
In-Reply-To: <Pine.GSO.4.44.0303202226230.24869-100000@elaine24.Stanford.EDU>; from yjf@stanford.edu on Thu, Mar 20, 2003 at 10:33:45PM -0800

* Junfeng Yang (yjf@stanford.edu) wrote:
> 
> [BUG] cosa_getidstr calls copy_to_user on arg, which implies arg is
> tainted.

True, arg is a pointer from userspace call to ioctl().

> /home/junfeng/linux-2.5.63/drivers/net/wan/cosa.c:1109:cosa_readmem:
> ERROR:TAINTED deferencing "d" tainted by [dist=2][called by
> cosa_ioctl_common:parm3 calling cosa_getidstr:parm1 calling
> copy_to_user:parm0]

Both cosa_readmem and cosa_download don't seem to do any validation of
the user supplied ptr at all before dereferncing it in get_user.  And
it'd make sense to use 'code' in cosa_reamdme (as in cosa_download)
instead of 'd->code'.  Jan, does this look OK?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

===== drivers/net/wan/cosa.c 1.17 vs edited =====
--- 1.17/drivers/net/wan/cosa.c	Mon Jan 13 17:11:59 2003
+++ edited/drivers/net/wan/cosa.c	Fri Mar 21 15:53:38 2003
@@ -1057,7 +1057,8 @@
 		return -EPERM;
 	}
 
-	if (get_user(addr, &(d->addr)) ||
+	if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
+	    __get_user(addr, &(d->addr)) ||
 	    __get_user(len, &(d->len)) ||
 	    __get_user(code, &(d->code)))
 		return -EFAULT;
@@ -1098,7 +1099,8 @@
 		return -EPERM;
 	}
 
-	if (get_user(addr, &(d->addr)) ||
+	if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
+	    __get_user(addr, &(d->addr)) ||
 	    __get_user(len, &(d->len)) ||
 	    __get_user(code, &(d->code)))
 		return -EFAULT;
@@ -1106,7 +1108,7 @@
 	/* If something fails, force the user to reset the card */
 	cosa->firmware_status &= ~COSA_FW_RESET;
 
-	if ((i=readmem(cosa, d->code, len, addr)) < 0) {
+	if ((i=readmem(cosa, code, len, addr)) < 0) {
 		printk(KERN_NOTICE "cosa%d: reading memory failed: %d\n",
 			cosa->num, i);
 		return -EIO;

  parent reply	other threads:[~2003-03-21 23:46 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21  6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44   ` Chris Wright
2003-03-21 21:58     ` Junfeng Yang
2003-03-21 22:06       ` Chris Wright
2003-03-21 22:08     ` Junfeng Yang
2003-03-21 22:15   ` Chris Wright
2003-03-22 20:49     ` Alan Cox
2003-03-22 20:19       ` Chris Wright
2003-03-21 23:55   ` Chris Wright [this message]
2003-03-27  8:07     ` Jan Kasprzak
2003-03-27 17:10       ` Chris Wright
2003-04-21  7:49         ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26           ` Chris Wright
2003-04-26  2:18             ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27  9:26               ` James Morris
2003-04-28  1:55                 ` Junfeng Yang
2003-04-27 20:18               ` Nick Holloway
2003-04-27 21:14                 ` Junfeng Yang
2003-04-27 21:29               ` Junfeng Yang
2003-04-28  6:43               ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29  7:25                 ` Greg KH
2003-04-29  9:14                   ` Junfeng Yang
2003-04-28  6:50               ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49                 ` Alan Cox
2003-04-28 19:11                   ` Junfeng Yang
2003-04-29  0:02                     ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29  7:26               ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22  0:15   ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22  0:32     ` Greg KH
2003-03-22  0:47       ` Chris Wright
2003-03-22  1:00         ` Greg KH
2003-03-22  0:32   ` Chris Wright
2003-03-23 23:10   ` Junfeng Yang
2003-03-24  0:24     ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35       ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24  0:29     ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24  9:07     ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28   ` Raja R Harinath
2003-03-25  0:44     ` David S. Miller
2003-03-25 18:52       ` Raja R Harinath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030321155547.C646@figure1.int.wirex.com \
    --to=chris@wirex.com \
    --cc=kas@fi.muni.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mc@cs.stanford.edu \
    --cc=yjf@stanford.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).