From: Matt Domsch <Matt_Domsch@dell.com>
To: linux-scsi@vger.kernel.org
Subject: Re: [CHECKER] Probable security holes in 2.6.5
Date: Mon, 19 Apr 2004 14:15:40 -0500 [thread overview]
Message-ID: <20040419191540.GE24871@lists.us.dell.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2329 bytes --]
Forwarding to linux-scsi.
----- Forwarded message from Chris Wright <chrisw@osdl.org> -----
Date: Mon, 19 Apr 2004 12:09:08 -0700
From: Chris Wright <chrisw@osdl.org>
To: Ken Ashcraft <ken@coverity.com>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
linux-aacraid-devel@dell.com
Subject: Re: [CHECKER] Probable security holes in 2.6.5
In-Reply-To: <1082134916.19301.7.camel@dns.coverity.int>; from ken@coverity.com on Fri, Apr 16, 2004 at 10:01:57AM -0700
> [BUG]
> /home/kash/linux/linux-2.6.5/drivers/scsi/aacraid/commctrl.c:419:aac_send_raw_srb: ERROR:TAINT: 413:419:Passing unbounded user value "fibsize" as arg 2 to function "copy_from_user", which uses it unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [SINK_MODEL=(lib,copy_from_user,user,trustingsink)] [MINOR] [CAPABILTY] [PATH=]
> }
> fib_init(srbfib);
>
> srbcmd = (struct aac_srb*) fib_data(srbfib);
>
> Start --->
> if(copy_from_user((void*)&fibsize,
> (void*)&user_srb->count,sizeof(u32))){
> printk(KERN_DEBUG"aacraid: Could not copy data size from user\n");
> rcode = -EFAULT;
> goto cleanup;
> }
>
> Error --->
> if(copy_from_user(srbcmd, user_srb,fibsize)){
> printk(KERN_DEBUG"aacraid: Could not copy srb from user\n");
> rcode = -EFAULT;
> goto cleanup;
> ---------------------------------------------------------
Yup, it's protected by capable(), but... Simple check eliminate possible
overflow.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
===== drivers/scsi/aacraid/commctrl.c 1.4 vs edited =====
--- 1.4/drivers/scsi/aacraid/commctrl.c Wed Nov 19 10:38:25 2003
+++ edited/drivers/scsi/aacraid/commctrl.c Mon Apr 19 12:02:12 2004
@@ -416,6 +416,11 @@
goto cleanup;
}
+ if (fibsize > FIB_DATA_SIZE_IN_BYTES) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
+
if(copy_from_user(srbcmd, user_srb,fibsize)){
printk(KERN_DEBUG"aacraid: Could not copy srb from user\n");
rcode = -EFAULT;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
----- End forwarded message -----
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
reply other threads:[~2004-04-19 19:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040419191540.GE24871@lists.us.dell.com \
--to=matt_domsch@dell.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox