Re: [Dri-devel] 2.4.23: user/kernel pointer bugs(drivers/char/vt.c, drivers/char/drm/gamma_dma.c)

[Alan Cox]

On Iau, 2004-01-08 at 20:08, Robert T. Johnson wrote:
> Both of these bugs look exploitable.  The vt.c patch is
> self-explanatory.  
> 
> In gamma_dma.c, argument "d" to gamma_dma_priority() points to a
> structure copied from userspace (see gamma_dma()).  That means that
> d->send_indices is a pointer under user control, so it shouldn't be
> dereferenced.  The patch just safely copies the contents to a kernel
> buffer and uses that instead.  Ditto for d->send_sizes.

Fortunately (in this case) Gamma hasn't worked since about 1999. The SiS
DRM driver in XFree 4.4 snapshot is also exploitable although the 4.3
one seems ok. If you feed the memory allocator random crap it oopses.
With 4.3.x (ie the code in 2.4.x) it doesn't oops but requires sis_fb.
With 4.3.99... it oopses if I dont have sisfb.

> Also, I notice the drm code uses it's own memory allocation wrappers.  I
> don't know all the details of the drm code, so I just used kmalloc. 
> You'll probably want to change those two calls after applying the
> patch.  Sorry for the inconvenience.

It comes out as kmalloc, but its done so it will be portable to other
systems. So on *BSD it comes out appropriately too.

Incidentally the gamme code appears to have maths overflow problems in
the kmalloc paths too.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/