Re: [CHECKER] potential dereference of user pointer errors

From: Jan Kasprzak (kas@informatics.muni.cz)
Date: Thu Mar 27 2003 - 03:07:13 EST

Next message: Josh McKinney: "Re: [linux-usb-devel] Re: [PATCH] Logitech USB mice/trackball extensions"
Previous message: Margit Schubert-While: "Linux 2.4.21-pre6"
Next in thread: Chris Wright: "Re: [CHECKER] potential dereference of user pointer errors"
Reply: Chris Wright: "Re: [CHECKER] potential dereference of user pointer errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright wrote:
: Both cosa_readmem and cosa_download don't seem to do any validation of
: the user supplied ptr at all before dereferncing it in get_user. And
: it'd make sense to use 'code' in cosa_reamdme (as in cosa_download)
: instead of 'd->code'. Jan, does this look OK?

Yes, you are right. I've missed this. However, it is not
as bad as it looks like, because you need the CAP_SYS_RAWIO to
exploit this. I agree this patch should be applied.

: ===== drivers/net/wan/cosa.c 1.17 vs edited =====
: --- 1.17/drivers/net/wan/cosa.c Mon Jan 13 17:11:59 2003
: +++ edited/drivers/net/wan/cosa.c Fri Mar 21 15:53:38 2003
: @@ -1057,7 +1057,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1098,7 +1099,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1106,7 +1108,7 @@
: /* If something fails, force the user to reset the card */
: cosa->firmware_status &= ~COSA_FW_RESET;
:
: - if ((i=readmem(cosa, d->code, len, addr)) < 0) {
: + if ((i=readmem(cosa, code, len, addr)) < 0) {
: printk(KERN_NOTICE "cosa%d: reading memory failed: %d\n",
: cosa->num, i);
: return -EIO;

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/   Czech Linux Homepage: http://www.linux.cz/ |
|-- If you start doing things because you hate others and want to screw  --|
|-- them over the end result is bad.   --Linus Torvalds to the BBC News  --|
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Josh McKinney: "Re: [linux-usb-devel] Re: [PATCH] Logitech USB mice/trackball extensions"
Previous message: Margit Schubert-While: "Linux 2.4.21-pre6"
Next in thread: Chris Wright: "Re: [CHECKER] potential dereference of user pointer errors"
Reply: Chris Wright: "Re: [CHECKER] potential dereference of user pointer errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:27 EST