Re: [CHECKER] security errors for 2.4.9 and 2.4.9-ac7

From: Petr Vandrovec (vandrove@vc.cvut.cz)
Date: Tue Sep 04 2001 - 16:56:55 EST

Next message: Hans Reiser: "Re: Reiserfs: how to mount without journal replay?"
Previous message: Andries.Brouwer@cwi.nl: "Re: [resend PATCH] reserve BLKGETSIZE64 ioctl"
In reply to: Kenneth Michael Ashcraft: "[CHECKER] security errors for 2.4.9 and 2.4.9-ac7"
Next in thread: Bob Dunlop: "Re: [CHECKER] security errors for 2.4.9 and 2.4.9-ac7 (FIX 1 of 112)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 04, 2001 at 02:07:05PM -0700, Kenneth Michael Ashcraft wrote:
> /home/kash/linux/2.4.9/fs/ncpfs/ioctl.c:394:ncp_ioctl: ERROR:RANGE:387:394: Using user length "outl" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] set by 'copy_from_user':387 [linkages -> 387:outl=object_name_len -> 387:user->object_name
>
> if (copy_from_user(&user,
> (struct ncp_objectname_ioctl*)arg,
> sizeof(user))) return -EFAULT;
> user.auth_type = server->auth.auth_type;
> Start --->
> outl = user.object_name_len;
> user.object_name_len = server->auth.object_name_len;
> if (outl > user.object_name_len)
> outl = user.object_name_len;
> if (outl) {
> if (copy_to_user(user.object_name,
> server->auth.object_name,
> Error --->
> outl)) return -EFAULT;
> }
> if (copy_to_user((struct ncp_objectname_ioctl*)arg,
> &user,
> ---------------------------------------------------------
> [BUG] make user.len large enough so that outl becomes negative. outl will then be < server->priv.len and make it past the check (gem)
> /home/kash/linux/2.4.9/fs/ncpfs/ioctl.c:462:ncp_ioctl: ERROR:RANGE:456:462: Using user length "outl" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] set by 'copy_from_user':456 [linkages -> 456:outl=len -> 456:user->len -> 456:user:start]

Hi Kenneth,
  I'll fix these two - but fortunately they are no problem even now.
Although outl is defined as 'int', it is compared against
'user.object_name_len', which is 'size_t' (which is unsigned int),
so whole comparsion is done unsigned and not signed. Thanks
for spotting anyway, there is no reason why it should not be
size_t.
                                        Petr Vandrovec
                                        vandrove@vc.cvut.cz

P.S.: And report about drivers/video/matrox/matroxfb_crtc2:535
is completely innocent - it passes these three mentioned
ioctl types down to first head's ioctl handler (and it is
not sisfb_ioctl, definitely... usually it is matroxfb_ioctl
from matroxfb_base.c).

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Hans Reiser: "Re: Reiserfs: how to mount without journal replay?"
Previous message: Andries.Brouwer@cwi.nl: "Re: [resend PATCH] reserve BLKGETSIZE64 ioctl"
In reply to: Kenneth Michael Ashcraft: "[CHECKER] security errors for 2.4.9 and 2.4.9-ac7"
Next in thread: Bob Dunlop: "Re: [CHECKER] security errors for 2.4.9 and 2.4.9-ac7 (FIX 1 of 112)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Sep 07 2001 - 21:00:28 EST