From: Jan Kasprzak <kas@fi.muni.cz>
To: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Cc: linux-kernel@vger.kernel.org, jaharkes@cs.cmu.edu,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Andrew Morton <akpm@osdl.org>,
acme@conectiva.com.br, davem@redhat.com, kas@fi.muni.cz,
nathans@sgi.com
Subject: Re: [Coverity] Untrusted user data in kernel
Date: Thu, 6 Jan 2005 10:18:44 +0100 [thread overview]
Message-ID: <20050106091844.GB6961@fi.muni.cz> (raw)
In-Reply-To: <20050105140549.GA14622@logos.cnet>
: //////////////////////////////////////////////
: // 6: /drivers/net/wan/sdla.c::sdla_xfer //
: //////////////////////////////////////////////
:
I am not a maintainer of sdla driver, but being Cc'd with this
mail, I'll try to look at it.
: - tainted signed scalar mem.len passed to kmalloc and memset (1206 and
: 1211, or 1220 and 1223). Possibly minor because of kmalloc's
: implicit size check
Yes. The value mem.len is passed to kmalloc and the code immediately
returns -ENOMEM when kmalloc fails.
: Protected by NET_ADMIN caps, but definately needs some bound checking.
:
Depends on whether the kmalloc's internal checks are
sufficient or not.
: Jan, I think SDLA_MAX_DATA is the correct bound to check for here, can
: you confirm please?
:
I cannot because I don't know or even have this hardware.
However: looking at the definitions in include/linux/sdla.h and the
code itself it looks like SDLA_READMEM, SDLA_WRITEMEM, and SDLA_CLEAR
ioctls are for reading/writing/clearing the card memory itself (maybe
for debugging purposes or downloading a firmware or what). So no,
SDLA_MAX_DATA is probably not a correct limit there.
The SDLA_CLEAR ioctl (the sdla_clear(dev) function) tries
to clear exactly 65536 bytes (hardcoded at sdla.c:sdla_clear() line 140).
So the mem.len should be <= 65536 bytes, and even mem.addr + mem.len
should be <= 65536 bytes.
So I propose the following patch (maybe the constant 65536 should
be defined in sdla.h and used both in sdla_xfer() and sdla_clear()):
Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
--- linux-2.4.28/drivers/net/wan/sdla.c.orig 2002-11-29 00:53:14.000000000 +0100
+++ linux-2.4.28/drivers/net/wan/sdla.c 2005-01-06 10:14:21.115490248 +0100
@@ -1195,6 +1195,10 @@
if(copy_from_user(&mem, info, sizeof(mem)))
return -EFAULT;
+
+ if (mem.len <= 0 || mem.addr < 0 || mem.len > 65536 || mem.addr > 65535
+ || mem.addr + mem.len > 65536)
+ return -EFAULT;
if (read)
{
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Czech Linux Homepage: http://www.linux.cz/ |
> Whatever the Java applications and desktop dances may lead to, Unix will <
> still be pushing the packets around for a quite a while. --Rob Pike <
next prev parent reply other threads:[~2005-01-06 9:19 UTC|newest]
Thread overview: 238+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-17 1:33 [Coverity] Untrusted user data in kernel Bryan Fulton
2004-12-17 5:15 ` James Morris
2004-12-17 5:25 ` Patrick McHardy
2004-12-17 6:45 ` James Morris
2004-12-17 13:18 ` Tomas Carnecky
2004-12-17 19:16 ` David S. Miller
2004-12-17 19:34 ` Tomas Carnecky
2004-12-17 19:30 ` David S. Miller
2004-12-17 15:47 ` Bill Davidsen
2004-12-17 16:11 ` linux-os
2004-12-17 16:31 ` Oliver Neukum
2004-12-17 18:37 ` Bill Davidsen
2004-12-17 19:18 ` Tomas Carnecky
2004-12-17 19:30 ` Oliver Neukum
2004-12-17 19:39 ` Tomas Carnecky
2004-12-18 1:42 ` Horst von Brand
2004-12-17 15:10 ` Pavel Machek
2004-12-17 15:38 ` James Morris
2005-01-05 12:04 ` Marcelo Tosatti
2005-01-05 15:09 ` Jan Harkes
2005-01-05 23:17 ` Nathan Scott
[not found] ` <20050105161653.GF13455@fi.muni.cz>
[not found] ` <20050105140549.GA14622@logos.cnet>
2005-01-06 9:18 ` Jan Kasprzak [this message]
2005-01-06 14:48 ` Paulo Marques
2005-01-06 16:29 ` Alan Cox
2005-01-07 21:49 ` [PATCH 2.4.29-pre3-bk4] fs/coda " Jan Harkes
2005-01-07 21:54 ` [PATCH 2.6.10-mm2] " Jan Harkes
-- strict thread matches above, loose matches on Subject: below --
2004-12-02 0:04 What if? Imanpreet Singh Arora
2004-12-02 4:40 ` Theodore Ts'o
2004-12-02 6:39 ` Norbert van Nobelen
2004-12-02 8:24 ` James Bruce
2004-12-02 20:25 ` Theodore Ts'o
2004-12-03 2:23 ` David Schwartz
2004-12-02 8:33 ` J.A. Magallon
2004-12-02 10:46 ` Bernd Petrovitsch
2004-12-02 10:56 ` Pawel Sikora
2004-12-13 15:23 ` H. Peter Anvin
2004-12-13 21:08 ` J.A. Magallon
2004-12-16 0:57 ` Alan Cox
2004-12-16 2:44 ` H. Peter Anvin
2004-12-16 13:23 ` Alan Cox
2004-12-16 15:23 ` Geert Uytterhoeven
2004-12-16 20:37 ` H. Peter Anvin
2004-12-16 20:52 ` Jan Engelhardt
2004-12-16 20:56 ` H. Peter Anvin
2004-12-16 21:08 ` Jan Engelhardt
2004-12-02 10:25 ` Jan Engelhardt
2004-12-05 0:23 ` Horst von Brand
2004-12-05 6:21 ` Kyle Moffett
2004-12-05 22:43 ` Horst von Brand
2004-12-06 17:27 ` linux-os
2004-12-06 18:52 ` Horst von Brand
2004-12-02 10:53 ` Bernd Petrovitsch
2004-12-11 8:52 ` Gábor Lénárt
2004-11-04 16:01 Linux-2.6.9 won't allow a write to a NTFS file-system linux-os
2004-11-04 16:48 ` Giuseppe Bilotta
2004-11-04 17:09 ` linux-os
2004-11-04 17:40 ` Giuseppe Bilotta
2004-11-04 17:46 ` Mathieu Segaud
2004-11-04 22:17 ` Anton Altaparmakov
2004-11-04 22:18 ` Anton Altaparmakov
2004-11-04 22:38 ` linux-os
2004-11-05 14:43 ` Rahul Karnik
2004-11-05 1:46 ` Horst von Brand
2004-11-05 12:41 ` linux-os
2004-10-18 22:45 Linux v2.6.9 Linus Torvalds
2004-10-18 23:27 ` Thomas Zehetbauer
2004-10-19 2:54 ` Eric W. Biederman
2004-10-19 16:55 ` Jesper Juhl
2004-10-19 14:36 ` Linux v2.6.9... (compile stats) John Cherry
2004-10-19 16:18 ` Matthew Dharm
2004-10-19 16:49 ` viro
2004-10-19 21:37 ` John Cherry
2004-10-20 22:11 ` John Cherry
2004-10-20 22:41 ` viro
2004-10-21 0:12 ` Linus Torvalds
2004-10-21 0:29 ` Jeff Garzik
2004-10-21 0:44 ` viro
2004-10-21 1:55 ` viro
2004-10-21 1:59 ` Jeff Garzik
2004-10-21 2:24 ` viro
2004-10-21 2:37 ` Jeff Garzik
2004-10-21 4:35 ` viro
2004-10-21 8:57 ` Jeff Garzik
2004-10-20 22:50 ` Dave Jones
2004-10-19 17:38 ` Linux v2.6.9 and GPL Buyout Jeff V. Merkey
2004-10-19 19:13 ` Russell King
2004-10-19 19:04 ` Jeff V. Merkey
2004-10-19 19:24 ` Kurt Wall
2004-10-19 19:12 ` Jeff V. Merkey
2004-10-19 20:01 ` Richard B. Johnson
2004-10-19 20:39 ` Matt Mackall
2004-10-20 0:06 ` Richard B. Johnson
2004-10-20 5:21 ` Matt Mackall
2004-10-19 19:28 ` Andre Hedrick
2004-10-19 19:10 ` Jeff V. Merkey
2004-10-19 19:30 ` Rik van Riel
2004-10-19 19:05 ` Jeff V. Merkey
2004-10-19 20:14 ` Diego Calleja
2004-10-19 19:41 ` Jeff V. Merkey
2004-10-20 8:27 ` Bernd Petrovitsch
2004-10-20 8:45 ` Jens Axboe
2004-10-19 19:47 ` Jeff V. Merkey
2004-10-19 20:05 ` Richard B. Johnson
2004-10-19 19:38 ` Jeff V. Merkey
2004-10-19 20:30 ` Thomas Gleixner
2004-10-19 20:15 ` Jeff V. Merkey
2004-10-22 23:22 ` Tonnerre
2004-10-19 19:45 ` Ross Biro
2004-10-19 19:36 ` Jeff V. Merkey
2004-10-19 19:54 ` David Johnson
2004-10-19 19:55 ` viro
2004-10-19 19:25 ` Jeff V. Merkey
2004-10-19 20:38 ` Dax Kelson
2004-10-19 20:09 ` Jeff V. Merkey
2004-10-19 22:16 ` Jim Nelson
2004-10-19 22:57 ` Bernd Petrovitsch
2004-10-19 22:27 ` Scott Robert Ladd
2004-10-20 19:41 ` Bill Davidsen
2004-10-20 1:15 ` Horst von Brand
2004-10-20 1:16 ` Bastiaan Spandaw
2004-10-20 19:35 ` Bill Davidsen
2004-10-20 3:45 ` Ryan Anderson
2004-10-20 4:18 ` Lee Revell
2004-10-20 4:41 ` Lee Revell
2004-10-20 11:49 ` Richard B. Johnson
2004-10-29 12:12 ` Semaphore assembly-code bug linux-os
2004-10-29 14:46 ` Linus Torvalds
2004-10-29 15:11 ` Andi Kleen
2004-10-29 18:18 ` Linus Torvalds
2004-10-29 18:35 ` Richard Henderson
2004-10-29 16:06 ` Andreas Steinmetz
2004-10-29 17:08 ` linux-os
2004-10-29 18:06 ` Linus Torvalds
2004-10-29 18:39 ` linux-os
2004-10-29 19:12 ` Linus Torvalds
2004-11-01 1:31 ` linux-os
2004-11-01 5:49 ` Linus Torvalds
2004-11-01 20:23 ` dean gaudet
2004-11-01 20:52 ` linux-os
2004-11-01 21:23 ` dean gaudet
2004-11-01 22:22 ` linux-os
2004-11-01 21:40 ` Linus Torvalds
2004-11-01 21:46 ` Linus Torvalds
2004-11-02 15:02 ` linux-os
2004-11-02 16:02 ` Linus Torvalds
2004-11-02 16:06 ` Linus Torvalds
2004-11-02 16:51 ` linux-os
2004-11-01 22:16 ` linux-os
2004-11-01 22:26 ` Linus Torvalds
2004-11-01 23:14 ` linux-os
2004-11-01 23:42 ` Linus Torvalds
2004-11-03 1:52 ` Horst von Brand
2004-11-03 21:24 ` Bill Davidsen
2004-11-02 6:37 ` Chris Friesen
2004-10-29 18:58 ` Andreas Steinmetz
2004-10-29 19:15 ` Linus Torvalds
2004-10-29 19:40 ` Andreas Steinmetz
2004-10-29 19:56 ` Linus Torvalds
2004-10-29 22:07 ` Jeff Garzik
2004-10-29 23:50 ` dean gaudet
2004-10-30 0:15 ` Linus Torvalds
2004-10-29 23:37 ` dean gaudet
2004-10-29 17:22 ` linux-os
2004-10-29 17:55 ` Richard Henderson
2004-10-29 18:17 ` linux-os
2004-10-29 18:42 ` Linus Torvalds
2004-10-29 18:54 ` Linus Torvalds
2004-10-30 3:35 ` Jeff Garzik
2004-10-29 19:20 ` Linus Torvalds
2004-10-29 19:26 ` Linus Torvalds
2004-10-29 21:03 ` Linus Torvalds
2004-10-29 17:57 ` Richard Henderson
2004-10-29 18:37 ` Gabriel Paubert
2004-10-20 5:58 ` Linux v2.6.9 and GPL Buyout John Alvord
2004-10-20 14:42 ` Martin Waitz
2004-10-21 23:59 ` Kelledin
2004-10-22 8:46 ` Bernd Petrovitsch
2004-10-22 9:07 ` David Weinehall
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-22 17:52 ` Al Viro
2004-10-22 17:22 ` Jeff V. Merkey
2004-10-22 19:37 ` Jeff V. Merkey
2004-10-22 20:46 ` Grahame White
2004-10-22 20:58 ` Buddy Lucas
2004-10-22 21:00 ` Richard B. Johnson
2004-10-22 21:03 ` Thomas Gleixner
2004-10-23 12:33 ` Bernd Petrovitsch
2004-10-24 14:15 ` Kai Henningsen
2004-10-27 1:45 ` Horst von Brand
2004-10-24 11:00 ` Matthias Andree
2004-10-24 14:13 ` Kai Henningsen
2004-10-25 18:44 ` Bill Davidsen
2004-10-20 19:46 ` Bill Davidsen
2004-10-19 21:02 ` Pekka Pietikainen
2004-10-19 20:27 ` Jeff V. Merkey
2004-10-22 6:54 ` Erik Andersen
2004-10-22 16:12 ` Jeff V. Merkey
2004-10-19 21:17 ` Paul Fulghum
2004-10-20 20:41 ` Geert Uytterhoeven
2004-10-23 13:43 ` James Bruce
2004-10-19 21:26 ` Ramón Rey Vicente
2004-10-19 22:52 ` Buddy Lucas
2004-10-20 23:43 ` Eric Bambach
2004-10-20 23:48 ` Eric Bambach
2004-10-20 23:59 ` Hua Zhong
2004-10-21 0:13 ` Russell Miller
2004-10-21 0:18 ` Adam Heath
2004-10-21 10:16 ` Horst von Brand
2004-10-22 8:48 ` Ingo Molnar
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-23 0:14 ` Jon Masters
2004-10-22 23:46 ` Jeff V. Merkey
2004-10-23 0:57 ` Jon Masters
2004-10-23 4:42 ` Jeff V. Merkey
2004-10-23 6:32 ` Nick Piggin
[not found] ` <20041023064538.GA7866@galt.devicelogics.com>
2004-10-23 7:20 ` Jeff V. Merkey
2004-10-23 10:11 ` Gene Heskett
2004-10-23 16:28 ` Linus Torvalds
2004-10-24 2:48 ` Jesper Juhl
2004-10-24 5:11 ` Jeff V. Merkey
2004-10-24 11:14 ` Jon Masters
2004-10-24 11:50 ` Jim Nelson
2004-10-24 15:35 ` Ingo Molnar
2004-10-24 15:53 ` Bernd Petrovitsch
2004-10-31 23:14 ` Jan 'JaSan' Sarenik
2004-10-24 2:11 ` Buddy Lucas
2004-10-23 0:38 ` Lee Revell
2004-10-23 0:07 ` Jeff V. Merkey
2004-10-23 1:06 ` Lee Revell
2004-10-21 2:41 ` Linux v2.6.9 (Strange tty problem?) Paul
2004-10-21 9:07 ` Alan Cox
2004-10-21 12:39 ` Russell King
2004-10-21 13:20 ` Paul Fulghum
2004-10-21 15:37 ` Alan Cox
2004-10-21 17:00 ` Paul Fulghum
2004-10-21 15:47 ` Paul Fulghum
2004-10-21 18:12 ` Paul Fulghum
2004-10-31 21:11 ` Linux v2.6.9 dies when starting X on radeon 9200 SE PCI Helge Hafting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050106091844.GB6961@fi.muni.cz \
--to=kas@fi.muni.cz \
--cc=acme@conectiva.com.br \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@redhat.com \
--cc=jaharkes@cs.cmu.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
--cc=nathans@sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).