Re: 2.4.23: user/kernel pointer bugs (drivers/char/vt.c,drivers/char/drm/gamma_dma.c)
From: Marcelo Tosatti
Date: Sat Jan 10 2004 - 12:51:14 EST
On Thu, 8 Jan 2004, Robert T. Johnson wrote:
> Both of these bugs look exploitable. The vt.c patch is
> self-explanatory.
>
> Thanks for looking at this, and let me know if you have any questions.
>
> Best,
> Rob
>
> P.S. Both of these bugs were found using the source code verification
> tool, CQual, developed by Jeff Foster, myself, and others, and available
> from http://www.cs.umd.edu/~jfoster/cqual/.
>
>
> --- drivers/char/vt.c.orig Thu Jan 8 10:53:01 2004
> +++ drivers/char/vt.c Wed Jan 7 15:22:17 2004
> @@ -288,7 +288,7 @@
> case KDGKBSENT:
> sz = sizeof(tmp.kb_string) - 1; /* sz should have been
> a struct member */
> - q = user_kdgkb->kb_string;
> + q = tmp.kb_string;
> p = func_table[i];
> if(p)
> for ( ; *p && sz; p++, sz--)
The "q" variable is only used as an argument to put_user() (the kernel is
not reading from that address), so I think it is not a problem.
I think your patch will break the ioctl.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/