Re: [CHECKER] Probable security holes in 2.6.5

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [CHECKER] Probable security holes in 2.6.5
@ 2004-04-19 19:15 Matt Domsch
  0 siblings, 0 replies; only message in thread
From: Matt Domsch @ 2004-04-19 19:15 UTC (permalink / raw)
  To: linux-scsi

[-- Attachment #1: Type: text/plain, Size: 2329 bytes --]

Forwarding to linux-scsi.

----- Forwarded message from Chris Wright <chrisw@osdl.org> -----

Date: Mon, 19 Apr 2004 12:09:08 -0700
From: Chris Wright <chrisw@osdl.org>
To: Ken Ashcraft <ken@coverity.com>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
        linux-aacraid-devel@dell.com
Subject: Re: [CHECKER] Probable security holes in 2.6.5
In-Reply-To: <1082134916.19301.7.camel@dns.coverity.int>; from ken@coverity.com on Fri, Apr 16, 2004 at 10:01:57AM -0700

> [BUG]
> /home/kash/linux/linux-2.6.5/drivers/scsi/aacraid/commctrl.c:419:aac_send_raw_srb: ERROR:TAINT: 413:419:Passing unbounded user value "fibsize" as arg 2 to function "copy_from_user", which uses it unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [SINK_MODEL=(lib,copy_from_user,user,trustingsink)]  [MINOR] [CAPABILTY] [PATH=] 
> 	}
> 	fib_init(srbfib);
> 
> 	srbcmd = (struct aac_srb*) fib_data(srbfib);
> 
> Start --->
> 	if(copy_from_user((void*)&fibsize,
> (void*)&user_srb->count,sizeof(u32))){
> 		printk(KERN_DEBUG"aacraid: Could not copy data size from user\n"); 
> 		rcode = -EFAULT;
> 		goto cleanup;
> 	}
> 
> Error --->
> 	if(copy_from_user(srbcmd, user_srb,fibsize)){
> 		printk(KERN_DEBUG"aacraid: Could not copy srb from user\n"); 
> 		rcode = -EFAULT;
> 		goto cleanup;
> ---------------------------------------------------------

Yup, it's protected by capable(), but...  Simple check eliminate possible
overflow.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

===== drivers/scsi/aacraid/commctrl.c 1.4 vs edited =====
--- 1.4/drivers/scsi/aacraid/commctrl.c	Wed Nov 19 10:38:25 2003
+++ edited/drivers/scsi/aacraid/commctrl.c	Mon Apr 19 12:02:12 2004
@@ -416,6 +416,11 @@
 		goto cleanup;
 	}
 
+	if (fibsize > FIB_DATA_SIZE_IN_BYTES) {
+		rcode = -EINVAL;
+		goto cleanup;
+	}
+
 	if(copy_from_user(srbcmd, user_srb,fibsize)){
 		printk(KERN_DEBUG"aacraid: Could not copy srb from user\n"); 
 		rcode = -EFAULT;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

----- End forwarded message -----

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-04-19 19:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-19 19:15 [CHECKER] Probable security holes in 2.6.5 Matt Domsch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox