drivers/s390/char/keyboard.c NULL pointer reference

linux-s390.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* drivers/s390/char/keyboard.c NULL pointer reference
@ 2017-08-03 13:57 sohu0106
  2017-08-04  9:26 ` Heiko Carstens
  0 siblings, 1 reply; 4+ messages in thread
From: sohu0106 @ 2017-08-03 13:57 UTC (permalink / raw)
  To: schwidefsky, heiko.carstens; +Cc: linux-s390, torvalds, linux-kernel



Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash




diff --git a/keyboard.c 
b/keyboard.c
index ba0e4f9..3ec16b1 100644
--- a/keyboard.c
+++ b/keyboard.c
@@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
        int perm;
 
        argp = (void __user *)arg;
+       if( !argp )
+               return -EFAULT;
 
        /*
         * To have permissions to do most of the vt ioctls, we either have


https://bugzilla.kernel.org/show_bug.cgi?id=196575

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: drivers/s390/char/keyboard.c NULL pointer reference
  2017-08-03 13:57 drivers/s390/char/keyboard.c NULL pointer reference sohu0106
@ 2017-08-04  9:26 ` Heiko Carstens
  2017-08-05  1:44   ` sohu0106
  0 siblings, 1 reply; 4+ messages in thread
From: Heiko Carstens @ 2017-08-04  9:26 UTC (permalink / raw)
  To: sohu0106; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel

On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote:
> 
> 
> Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
> 
> 
> 
> 
> diff --git a/keyboard.c 
> b/keyboard.c
> index ba0e4f9..3ec16b1 100644
> --- a/keyboard.c
> +++ b/keyboard.c
> @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
>         int perm;
>  
>         argp = (void __user *)arg;
> +       if( !argp )
> +               return -EFAULT;

This doesn't make sense as well. All uaccess functions are able to handle
NULL pointers within user space.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re:Re: drivers/s390/char/keyboard.c NULL pointer reference
  2017-08-04  9:26 ` Heiko Carstens
@ 2017-08-05  1:44   ` sohu0106
  2017-08-05  7:50     ` Heiko Carstens
  0 siblings, 1 reply; 4+ messages in thread
From: sohu0106 @ 2017-08-05  1:44 UTC (permalink / raw)
  To: Heiko Carstens; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel



I don't understand a bit,My idea is 

in userland

fd=open("tty3270",O_RDONLY)
...
ret=ioctl(fd,KDGKBDIACR,NULL)
...

then here 
drivers/s390/char/keyboard.c
477 
case KDGKBDIACR:
	{
		struct kbdiacrs __user *a = argp;
		struct kbdiacr diacr;
		int i;
		
		//a is NULL,a->kb_cnt will crash
		if (put_user(kbd->accent_table_size, &a->kb_cnt))




At 2017-08-04 17:26:08, "Heiko Carstens" <heiko.carstens@de.ibm.com> wrote:
>On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote:
>> 
>> 
>> Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
>> 
>> 
>> 
>> 
>> diff --git a/keyboard.c 
>> b/keyboard.c
>> index ba0e4f9..3ec16b1 100644
>> --- a/keyboard.c
>> +++ b/keyboard.c
>> @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
>>         int perm;
>>  
>>         argp = (void __user *)arg;
>> +       if( !argp )
>> +               return -EFAULT;
>
>This doesn't make sense as well. All uaccess functions are able to handle
>NULL pointers within user space.
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Re: drivers/s390/char/keyboard.c NULL pointer reference
  2017-08-05  1:44   ` sohu0106
@ 2017-08-05  7:50     ` Heiko Carstens
  0 siblings, 0 replies; 4+ messages in thread
From: Heiko Carstens @ 2017-08-05  7:50 UTC (permalink / raw)
  To: sohu0106; +Cc: schwidefsky, linux-s390, torvalds, linux-kernel

On Sat, Aug 05, 2017 at 09:44:45AM +0800, sohu0106 wrote:
> 
> 
> I don't understand a bit,My idea is 
> 
> in userland
> 
> fd=open("tty3270",O_RDONLY)
> ...
> ret=ioctl(fd,KDGKBDIACR,NULL)
> ...
> 
> then here 
> drivers/s390/char/keyboard.c
> 477 
> case KDGKBDIACR:
> 	{
> 		struct kbdiacrs __user *a = argp;
> 		struct kbdiacr diacr;
> 		int i;
> 		
> 		//a is NULL,a->kb_cnt will crash
> 		if (put_user(kbd->accent_table_size, &a->kb_cnt))

a->kb_cnt and &a->kb_cnt is not the same...

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-08-05  7:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-03 13:57 drivers/s390/char/keyboard.c NULL pointer reference sohu0106
2017-08-04  9:26 ` Heiko Carstens
2017-08-05  1:44   ` sohu0106
2017-08-05  7:50     ` Heiko Carstens

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).