Chris Wright wrote:
: Both cosa_readmem and cosa_download don't seem to do any validation of
: the user supplied ptr at all before dereferncing it in get_user. And
: it'd make sense to use 'code' in cosa_reamdme (as in cosa_download)
: instead of 'd->code'. Jan, does this look OK?
Yes, you are right. I've missed this. However, it is not
as bad as it looks like, because you need the CAP_SYS_RAWIO to
exploit this. I agree this patch should be applied.
: ===== drivers/net/wan/cosa.c 1.17 vs edited =====
: --- 1.17/drivers/net/wan/cosa.c Mon Jan 13 17:11:59 2003
: +++ edited/drivers/net/wan/cosa.c Fri Mar 21 15:53:38 2003
: @@ -1057,7 +1057,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1098,7 +1099,8 @@
: return -EPERM;
: }
:
: - if (get_user(addr, &(d->addr)) ||
: + if (verify_area(VERIFY_READ, d, sizeof(*d)) ||
: + __get_user(addr, &(d->addr)) ||
: __get_user(len, &(d->len)) ||
: __get_user(code, &(d->code)))
: return -EFAULT;
: @@ -1106,7 +1108,7 @@
: /* If something fails, force the user to reset the card */
: cosa->firmware_status &= ~COSA_FW_RESET;
:
: - if ((i=readmem(cosa, d->code, len, addr)) < 0) {
: + if ((i=readmem(cosa, code, len, addr)) < 0) {
: printk(KERN_NOTICE "cosa%d: reading memory failed: %d\n",
: cosa->num, i);
: return -EIO;
-Yenya
-- | Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Czech Linux Homepage: http://www.linux.cz/ | |-- If you start doing things because you hate others and want to screw --| |-- them over the end result is bad. --Linus Torvalds to the BBC News --| - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:27 EST