From: Chris Wright <chris@wirex.com>
To: Junfeng Yang <yjf@stanford.edu>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu, perex@suse.cx
Subject: Re: [CHECKER] potential dereference of user pointer errors
Date: Fri, 21 Mar 2003 13:44:49 -0800 [thread overview]
Message-ID: <20030321134449.A646@figure1.int.wirex.com> (raw)
In-Reply-To: <Pine.GSO.4.44.0303202226230.24869-100000@elaine24.Stanford.EDU>; from yjf@stanford.edu on Thu, Mar 20, 2003 at 10:33:45PM -0800
* Junfeng Yang (yjf@stanford.edu) wrote:
>
> [BUG] not sure. the dereference occurs at a tainted place. call
> copy_from_user (, data, ), then copy_from_user (, *data, )
>
> /home/junfeng/linux-2.5.63/sound/core/seq/instr/ainstr_iw.c:92:snd_seq_iwffff_copy_env_from_stream:
> ERROR:TAINTED deferencing "data" tainted by [dist=0][copy_from_user:parm1]
seems like a bug, although i think it's the first copy_from_user that
would be broken.
Looks like call flow could be something like:
Store user buf ptr in event.data.ext.ptr.
Call snd_seq_iwffff_put with the event.data.ext.ptr (offset by header bits)
Call snd_seq_iwffff_copy_env_from_stream with &event.data.ext.ptr (offset a
little further).
Finally, call copy_from_user on &event.data.ext.ptr, which is copying
into an stype. This looks like it's the bug. I don't think the 32 bit
addr should be copied into the stype, rather the 1st 32bits of the data
(IOW copy_from_user(stype, *data,...)). The second copy_from_user (with
*data) copies in the whole iwffff_env_record_t struct which begins with
an stype, so it really looks as if the first copy is broken. Patch
below. Jaroslav?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
===== instr/ainstr_iw.c 1.3 vs edited =====
--- 1.3/sound/core/seq/instr/ainstr_iw.c Mon Feb 10 02:39:27 2003
+++ edited/instr/ainstr_iw.c Fri Mar 21 13:01:32 2003
@@ -78,7 +78,7 @@
while (1) {
if (*len < (long)sizeof(__u32))
return -EINVAL;
- if (copy_from_user(&stype, data, sizeof(stype)))
+ if (copy_from_user(&stype, *data, sizeof(stype)))
return -EFAULT;
if (stype == IWFFFF_STRU_WAVE)
return 0;
next prev parent reply other threads:[~2003-03-21 21:37 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-04 11:12 [CHECKER] potential races in kernel/*.c mm/*.c net/*ipv4*.c Dawson Engler
2003-03-04 12:24 ` Hugh Dickins
2003-03-04 13:23 ` Martin Josefsson
2003-03-21 6:33 ` [CHECKER] potential dereference of user pointer errors Junfeng Yang
2003-03-21 21:44 ` Chris Wright [this message]
2003-03-21 21:58 ` Junfeng Yang
2003-03-21 22:06 ` Chris Wright
2003-03-21 22:08 ` Junfeng Yang
2003-03-21 22:15 ` Chris Wright
2003-03-22 20:49 ` Alan Cox
2003-03-22 20:19 ` Chris Wright
2003-03-21 23:55 ` Chris Wright
2003-03-27 8:07 ` Jan Kasprzak
2003-03-27 17:10 ` Chris Wright
2003-04-21 7:49 ` [CHECKER] Help Needed! Junfeng Yang
2003-04-21 21:26 ` Chris Wright
2003-04-26 2:18 ` [CHECKER] 30 potential dereference of user-pointer errors Junfeng Yang
2003-04-27 9:26 ` James Morris
2003-04-28 1:55 ` Junfeng Yang
2003-04-27 20:18 ` Nick Holloway
2003-04-27 21:14 ` Junfeng Yang
2003-04-27 21:29 ` Junfeng Yang
2003-04-28 6:43 ` [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data Junfeng Yang
2003-04-29 7:25 ` Greg KH
2003-04-29 9:14 ` Junfeng Yang
2003-04-28 6:50 ` [CHECKER] 8 potential user-pointer errors that allow arbitrary writes to kernel Junfeng Yang
2003-04-28 12:49 ` Alan Cox
2003-04-28 19:11 ` Junfeng Yang
2003-04-29 0:02 ` [CHECKER] 5 potential user-pointer errors in write_proc Junfeng Yang
2003-04-29 7:26 ` [CHECKER] 30 potential dereference of user-pointer errors Greg KH
2003-03-22 0:15 ` [CHECKER] potential dereference of user pointer errors Chris Wright
2003-03-22 0:32 ` Greg KH
2003-03-22 0:47 ` Chris Wright
2003-03-22 1:00 ` Greg KH
2003-03-22 0:32 ` Chris Wright
2003-03-23 23:10 ` Junfeng Yang
2003-03-24 0:24 ` [CHECKER] 63 potential calling blocking functions with locks held errors Junfeng Yang
2003-03-24 12:35 ` [CHECKER] 8 potential calling blocking kmalloc(GFP_KERNEL) " Junfeng Yang
2003-03-24 0:29 ` [CHECKER] 1 potential double unlock error Junfeng Yang
2003-03-24 9:07 ` [CHECKER] potential dereference of user pointer errors Jaroslav Kysela
2003-03-24 22:28 ` Raja R Harinath
2003-03-25 0:44 ` David S. Miller
2003-03-25 18:52 ` Raja R Harinath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030321134449.A646@figure1.int.wirex.com \
--to=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=perex@suse.cx \
--cc=yjf@stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.