Re: [CHECKER] potential dereference of user pointer errors

From: Jaroslav Kysela (perex@suse.cz)
Date: Mon Mar 24 2003 - 04:07:07 EST

Next message: Martin Mares: "Re: GETHOSTBYNAME()"
Previous message: William Lee Irwin III: "Re: lmbench results for 2.4 and 2.5 -- updated results"
Next in thread: Raja R Harinath: "Re: [CHECKER] potential dereference of user pointer errors"
Maybe reply: Raja R Harinath: "Re: [CHECKER] potential dereference of user pointer errors"
Maybe reply: Jan Kasprzak: "Re: [CHECKER] potential dereference of user pointer errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 23 Mar 2003, Junfeng Yang wrote:

> ---------------------------------------------------------
> [BUG] snd_sb_csp_ioctl -> snd_sb_csp_riff_load ->snd_sb_csp_load.
> /home/junfeng/linux-2.5.63/sound/isa/sb/sb16_csp.c:647:snd_sb_csp_load:
> ERROR:tainted:647:647:deferencing buf++ tainted by
> [dist=-1][(null)][TRANS: buf++, $stop$->tainted,
> /home/junfeng/linux-2.5.63/sound/isa/sb/sb16_csp.c, snd_sb_csp_load, 647]
>
> }
> kfree (_kbuf);
> } else {
> /* load from kernel space */
> while (size--) {
>
> Error --->
> if (!snd_sbdsp_command(p->chip, *buf++))
> goto __fail;
> }
> }

This code is ok. The source (user or kernel space) is checked a few lines
before.

> ---------------------------------------------------------
> [BUG] copy function can take tainted inputs
> /home/junfeng/linux-2.5.63/sound/pci/es1938.c:833:snd_es1938_capture_copy:
> ERROR:tainted:835:833: passing dst into deref cal __constant_memcpy
> [dist=1][thru snd_pcm_ops_t:copy
> /home/junfeng/linux-2.5.63/sound/pci/cmipci.c:snd_cmipci_ac3_copy:parm3
> copy_from_user:parm1][START: dst, unknown->tainted,
> /home/junfeng/linux-2.5.63/sound/pci/es1938.c, snd_es1938_capture_copy,
> 833]
>
> es1938_t *chip = snd_pcm_substream_chip(substream);
> pos <<= chip->dma1_shift;
> count <<= chip->dma1_shift;
> snd_assert(pos + count <= chip->dma1_size, return -EINVAL);
> if (pos + count < chip->dma1_size)
> Error --->
> memcpy(dst, runtime->dma_area + pos + 1, count);
> else {
> Start --->
> memcpy(dst, runtime->dma_area + pos + 1, count - 1);
> ((unsigned char *)dst)[count - 1] = runtime->dma_area[0];
> }
> return 0;

Fixed. Replaced memcpy with copy_to_user(). Thanks.

Jaroslav

-----
Jaroslav Kysela <perex@suse.cz>
Linux Kernel Sound Maintainer
ALSA Project, SuSE Labs

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Mares: "Re: GETHOSTBYNAME()"
Previous message: William Lee Irwin III: "Re: lmbench results for 2.4 and 2.5 -- updated results"
Next in thread: Raja R Harinath: "Re: [CHECKER] potential dereference of user pointer errors"
Maybe reply: Raja R Harinath: "Re: [CHECKER] potential dereference of user pointer errors"
Maybe reply: Jan Kasprzak: "Re: [CHECKER] potential dereference of user pointer errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:15 EST