[CHECKER] pcmcia user-pointer dereference

From: Hollis Blanchard (hollisb@us.ibm.com)
Date: Thu May 29 2003 - 16:17:23 EST

Next message: David S. Miller: "Re: [patch] cache flush bug in mm/filemap.c (all kernels >=2.5.30(at least))"
Previous message: Jeff Garzik: "[BK PATCHES] net driver merges"
Next in thread: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 12 May 2003 Junfeng wrote:

here is a detailed explanation in case the warnning itself isn't clear:

1. ds_ioctl is assigned to file_operantions.ioctl
so its argument 'arg' is tainted. verify_area are
also called on 'arg', which confirms.

2. copy_from_user (&buf, arg, _) copies in the content of arg

3. buf.win_info.handle is thus a user provided pointer.

4. pcmcia_get_mem_page dereferences its first parameter, in this case
buf.win_info.handle

I contacted David Hinds about this; the behavior is by design. User space passes in a pointer to a kernel data structure, and the kernel verifies it by checking a magic number in that structure.

It seems possible to perform some activity from user space to get the magic number into (any) kernel memory, then iterate over kernel space by passing pointers to the pcmcia ds_ioctl() until you manage to corrupt something. But I'm not really a security guy...

--
Hollis Blanchard
IBM Linux Technology Center

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David S. Miller: "Re: [patch] cache flush bug in mm/filemap.c (all kernels >=2.5.30(at least))"
Previous message: Jeff Garzik: "[BK PATCHES] net driver merges"
Next in thread: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]