From: Jan Kasprzak <kas@informatics.muni.cz>
To: Junfeng Yang <yjf@stanford.edu>,
linux-kernel@vger.kernel.org, mc@cs.stanford.edu
Subject: Re: [CHECKER] potential dereference of user pointer errors
Date: Thu, 27 Mar 2003 09:07:13 +0100 [thread overview]
Message-ID: <20030327090713.A19647@fi.muni.cz> (raw)
In-Reply-To: <20030321155547.C646@figure1.int.wirex.com>; from chris@wirex.com on Fri, Mar 21, 2003 at 03:55:47PM -0800
Chris Wright wrote:
: Both cosa_readmem and cosa_download don't seem to do any validation of
: the user supplied ptr at all before dereferncing it in get_user. And
: it'd make sense to use 'code' in cosa_reamdme (as in cosa_download)
: instead of 'd->code'. Jan, does this look OK?
Yes, you are right. I've missed this. However, it is not
as bad as it looks like, because you need the CAP_SYS_RAWIO to
exploit this. I agree this patch should be applied.
: ===== drivers/net/wan/cosa.c 1.17 vs edited =====
: --- 1.17/drivers/net/wan/cosa.c Mon Jan 13 17:11:59 2003
: +++ edited/drivers/net/wan/cosa.c Fri Mar 21 15:53:38 2003
: @@ -1057,7 +1057,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1098,7 +1099,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1106,7 +1108,7 @@
: /* If something fails, force the user to reset the card */
: cosa->firmware_status &= ~COSA_FW_RESET;
:
: - if ((i=readmem(cosa, d->code, len, addr)) < 0) {
: + if ((i=readmem(cosa, code, len, addr)) < 0) {
: printk(KERN_NOTICE "cosa%d: reading memory failed: %d\n",
: cosa->num, i);
: return -EIO;
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Czech Linux Homepage: http://www.linux.cz/ |
|-- If you start doing things because you hate others and want to screw --|
|-- them over the end result is bad. --Linus Torvalds to the BBC News --|
next prev parent reply other threads:[~2003-03-27 7:56 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21 6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44 ` Chris Wright
2003-03-21 21:58 ` Junfeng Yang
2003-03-21 22:06 ` Chris Wright
2003-03-21 22:08 ` Junfeng Yang
2003-03-21 22:15 ` Chris Wright
2003-03-22 20:49 ` Alan Cox
2003-03-22 20:19 ` Chris Wright
2003-03-21 23:55 ` Chris Wright
2003-03-27 8:07 ` Jan Kasprzak [this message]
2003-03-27 17:10 ` Chris Wright
2003-04-21 7:49 ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26 ` Chris Wright
2003-04-26 2:18 ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27 9:26 ` James Morris
2003-04-28 1:55 ` Junfeng Yang
2003-04-27 20:18 ` Nick Holloway
2003-04-27 21:14 ` Junfeng Yang
2003-04-27 21:29 ` Junfeng Yang
2003-04-28 6:43 ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29 7:25 ` Greg KH
2003-04-29 9:14 ` Junfeng Yang
2003-04-28 6:50 ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49 ` Alan Cox
2003-04-28 19:11 ` Junfeng Yang
2003-04-29 0:02 ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29 7:26 ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22 0:15 ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22 0:32 ` Greg KH
2003-03-22 0:47 ` Chris Wright
2003-03-22 1:00 ` Greg KH
2003-03-22 0:32 ` Chris Wright
2003-03-23 23:10 ` Junfeng Yang
2003-03-24 0:24 ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35 ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24 0:29 ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24 9:07 ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28 ` Raja R Harinath
2003-03-25 0:44 ` David S. Miller
2003-03-25 18:52 ` Raja R Harinath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030327090713.A19647@fi.muni.cz \
--to=kas@informatics.muni.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=yjf@stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).