Re: [CHECKER] 9 potential copy_*_user bugs in 2.4.1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: borchers@steinerpoint.com, pberger@brimson.com
Cc: Dawson Engler <engler@csl.Stanford.EDU>, linux-kernel@vger.kernel.org
Subject: Re: [CHECKER] 9 potential copy_*_user bugs in 2.4.1
Date: Thu, 15 Mar 2001 21:54:40 -0800	[thread overview]
Message-ID: <20010315215440.A2449@wirex.com> (raw)
In-Reply-To: <200103160224.SAA03920@csl.Stanford.EDU>
In-Reply-To: <200103160224.SAA03920@csl.Stanford.EDU>; from engler@csl.Stanford.EDU on Thu, Mar 15, 2001 at 06:24:51PM -0800

[-- Attachment #1: Type: text/plain, Size: 1889 bytes --]

On Thu, Mar 15, 2001 at 06:24:51PM -0800, Dawson Engler wrote:
> Hi,
> 
> I wrote an extension to gcc that does global analysis to determine
> which pointers in 2.4.1 are ever treated as user space pointers (i.e,
> passed to copy_*_user, verify_area, etc) and then makes sure they are
> always treated that way.
> 
> It found what looks to be 9 errors, and  3 cases I'm not sure about.
> I've tried to eliminate false positives, but if any remain, please let
> me know.

<snip>

> ---------------------------------------------------------
> [BUG] Looks like a bug where the memcpy forgets to use the user_buf pointer.
> 
> /u2/engler/mc/oses/linux/2.4.1/drivers/usb/serial/digi_acceleport.c:1288:digi_write: ERROR:PARAM:1271:1288: tainted var 'buf' (from line 1271) used as arg 1 to '__constant_memcpy'
> 
> 	/* copy user data (which can sleep) before getting spin lock */
> 	count = MIN( 64, MIN( count, port->bulk_out_size-2 ) );
> Start --->
> 	if( from_user && copy_from_user( user_buf, buf, count ) ) {
> 		return( -EFAULT );
> 	}
> 
> 	/* be sure only one write proceeds at a time */
> 	/* there are races on the port private buffer */
> 	/* and races to check write_urb->status */
> 
> 	/* wait for urb status clear to submit another urb */
> 	if( port->write_urb->status == -EINPROGRESS
> 	|| priv->dp_write_urb_in_use ) {
> 
> 		/* buffer data if count is 1 (probably put_char) if possible */
> 		if( count == 1 ) {
> 			new_len = MIN( count,
> 				DIGI_OUT_BUF_SIZE-priv->dp_out_buf_len );
> Error --->
> 			memcpy( priv->dp_out_buf+priv->dp_out_buf_len, buf,
> 				new_len );
> 			priv->dp_out_buf_len += new_len;
> 		} else {
> 			new_len = 0;
> 
> ---------------------------------------------------------

Al, Pete, does this patch look good to fix this problem?

(I'll send a separate patch for the other usb-serial problems.)

thanks,

greg k-h

-- 
greg@(kroah|wirex).com

[-- Attachment #2: digi_acceleport.patch --]
[-- Type: text/plain, Size: 454 bytes --]

--- digi_acceleport.c.original	Thu Mar 15 21:38:10 2001
+++ digi_acceleport.c	Thu Mar 15 21:38:46 2001
@@ -1285,8 +1285,8 @@
 		if( count == 1 ) {
 			new_len = MIN( count,
 				DIGI_OUT_BUF_SIZE-priv->dp_out_buf_len );
-			memcpy( priv->dp_out_buf+priv->dp_out_buf_len, buf,
-				new_len );
+			memcpy( priv->dp_out_buf+priv->dp_out_buf_len, 
+				from_user ? user_buf : buf, new_len );
 			priv->dp_out_buf_len += new_len;
 		} else {
 			new_len = 0;

next prev parent reply	other threads:[~2001-03-16  5:51 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-03-16  2:24 [CHECKER] 9 potential copy_*_user bugs in 2.4.1 Dawson Engler
2001-03-16  3:11 ` Alexander Viro
2001-03-16  7:36   ` Dawson Engler
2001-03-16 13:05   ` Jamie Lokier
2001-03-16  5:54 ` Greg KH [this message]
2001-03-16  7:07 ` David S. Miller
2001-03-16 10:06 ` David Woodhouse
2001-03-16 19:26   ` Russell King
2001-03-16 20:56 ` Locking question (was: [CHECKER] 9 potential copy_*_user bugs in 2.4.1) Nigel Gamble
2001-03-20  8:42 ` [CHECKER] 9 potential copy_*_user bugs in 2.4.1 Rusty Russell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20010315215440.A2449@wirex.com \
    --to=greg@kroah.com \
    --cc=borchers@steinerpoint.com \
    --cc=engler@csl.Stanford.EDU \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pberger@brimson.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.