From: Junfeng Yang <yjf@stanford.edu>
To: Chris Wright <chris@wirex.com>
Cc: linux-kernel@vger.kernel.org, <mc@cs.stanford.edu>, <perex@suse.cx>
Subject: Re: [CHECKER] potential dereference of user pointer errors
Date: Fri, 21 Mar 2003 13:58:19 -0800 (PST) [thread overview]
Message-ID: <Pine.GSO.4.44.0303211355080.12835-100000@elaine24.Stanford.EDU> (raw)
In-Reply-To: <20030321134449.A646@figure1.int.wirex.com>
Thanks a lot for your confirmation! So actually the first copy_from_user
is meant to copy in what "*data" points to, not "data".
-Junfeng
On Fri, 21 Mar 2003, Chris Wright wrote:
> * Junfeng Yang (yjf@stanford.edu) wrote:
> >
> > [BUG] not sure. the dereference occurs at a tainted place. call
> > copy_from_user (, data, ), then copy_from_user (, *data, )
> >
> > /home/junfeng/linux-2.5.63/sound/core/seq/instr/ainstr_iw.c:92:snd_seq_iwffff_copy_env_from_stream:
> > ERROR:TAINTED deferencing "data" tainted by [dist=0][copy_from_user:parm1]
>
> seems like a bug, although i think it's the first copy_from_user that
> would be broken.
>
> Looks like call flow could be something like:
> Store user buf ptr in event.data.ext.ptr.
> Call snd_seq_iwffff_put with the event.data.ext.ptr (offset by header bits)
> Call snd_seq_iwffff_copy_env_from_stream with &event.data.ext.ptr (offset a
> little further).
>
> Finally, call copy_from_user on &event.data.ext.ptr, which is copying
> into an stype. This looks like it's the bug. I don't think the 32 bit
> addr should be copied into the stype, rather the 1st 32bits of the data
> (IOW copy_from_user(stype, *data,...)). The second copy_from_user (with
> *data) copies in the whole iwffff_env_record_t struct which begins with
> an stype, so it really looks as if the first copy is broken. Patch
> below. Jaroslav?
>
> thanks,
> -chris
> --
> Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
>
> ===== instr/ainstr_iw.c 1.3 vs edited =====
> --- 1.3/sound/core/seq/instr/ainstr_iw.c Mon Feb 10 02:39:27 2003
> +++ edited/instr/ainstr_iw.c Fri Mar 21 13:01:32 2003
> @@ -78,7 +78,7 @@
> while (1) {
> if (*len < (long)sizeof(__u32))
> return -EINVAL;
> - if (copy_from_user(&stype, data, sizeof(stype)))
> + if (copy_from_user(&stype, *data, sizeof(stype)))
> return -EFAULT;
> if (stype == IWFFFF_STRU_WAVE)
> return 0;
>
next prev parent reply other threads:[~2003-03-21 21:53 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21 6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44 ` Chris Wright
2003-03-21 21:58 ` Junfeng Yang [this message]
2003-03-21 22:06 ` Chris Wright
2003-03-21 22:08 ` Junfeng Yang
2003-03-21 22:15 ` Chris Wright
2003-03-22 20:49 ` Alan Cox
2003-03-22 20:19 ` Chris Wright
2003-03-21 23:55 ` Chris Wright
2003-03-27 8:07 ` Jan Kasprzak
2003-03-27 17:10 ` Chris Wright
2003-04-21 7:49 ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26 ` Chris Wright
2003-04-26 2:18 ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27 9:26 ` James Morris
2003-04-28 1:55 ` Junfeng Yang
2003-04-27 20:18 ` Nick Holloway
2003-04-27 21:14 ` Junfeng Yang
2003-04-27 21:29 ` Junfeng Yang
2003-04-28 6:43 ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29 7:25 ` Greg KH
2003-04-29 9:14 ` Junfeng Yang
2003-04-28 6:50 ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49 ` Alan Cox
2003-04-28 19:11 ` Junfeng Yang
2003-04-29 0:02 ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29 7:26 ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22 0:15 ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22 0:32 ` Greg KH
2003-03-22 0:47 ` Chris Wright
2003-03-22 1:00 ` Greg KH
2003-03-22 0:32 ` Chris Wright
2003-03-23 23:10 ` Junfeng Yang
2003-03-24 0:24 ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35 ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24 0:29 ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24 9:07 ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28 ` Raja R Harinath
2003-03-25 0:44 ` David S. Miller
2003-03-25 18:52 ` Raja R Harinath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.GSO.4.44.0303211355080.12835-100000@elaine24.Stanford.EDU \
--to=yjf@stanford.edu \
--cc=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=perex@suse.cx \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).