From: Vojtech Pavlik <vojtech@suse.cz>
To: "Robert T. Johnson" <rtjohnso@cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org,
Sailesh Krishnamurthy <sailesh@EECS.Berkeley.EDU>
Subject: Re: Bug in 2.4.19-pre8 drivers/input/joydev.c
Date: Sun, 19 May 2002 20:18:45 +0200 [thread overview]
Message-ID: <20020519201845.Q1976@ucw.cz> (raw)
In-Reply-To: <1021487163.12915.37.camel@dooby.cs.berkeley.edu>
On Wed, May 15, 2002 at 11:26:02AM -0700, Robert T. Johnson wrote:
> Sailesh Krishmurthy and I have found what we believe is an exploitable
> bug in drivers/input/joydev.c:joydev_ioctl(). It looks like the
> JSIOCSAXMAP and JSIOCSBTNMAP cases accidentally reverse the arguments to
> copy_from_user(). A user program could call these ioctls with a
> maliciously chosen arg to crash the system or gain root access. A patch
> is attached to this message (though my mailer will probably mangle it --
> sorry). We apologize if we have misunderstood the behavior of this
> function.
Thanks for this report, this was found and fixed already.
>
> We found this bug using the static analysis tool cqual,
> http://www.cs.berkeley.edu/~jfoster/cqual/, developed at UC Berkeley by
> Jeff Foster, John Kodumal, and many others.
>
> Please CC us in any replies.
>
> Thanks for all your great work on the kernel.
>
> Best,
> Rob Johnson (rtjohnso@cs.berkeley.edu)
> Sailesh Krishnamurthy (sailesh@cs.berkeley.edu)
>
>
>
> --- joydev.c Wed May 15 10:25:26 2002
> +++ joydev_fixed.c Wed May 15 10:37:36 2002
> @@ -363,7 +363,7 @@
> return copy_to_user((struct js_corr *) arg,
> joydev->corr,
> sizeof(struct js_corr) *
> joydev->nabs) ? -EFAULT : 0;
> case JSIOCSAXMAP:
> - if (copy_from_user((__u8 *) arg, joydev->abspam,
> sizeof(__u8) *
> ABS_MAX))
> + if (copy_from_user(joydev->abspam, (__u8 *) arg,
> sizeof(__u8) *
> ABS_MAX))
> return -EFAULT;
> for (i = 0; i < ABS_MAX; i++) {
> if (joydev->abspam[i] > ABS_MAX) return
> -EINVAL;
> @@ -374,7 +374,7 @@
> return copy_to_user((__u8 *) arg,
> joydev->abspam,
> sizeof(__u8) * ABS_MAX)
> ? -EFAULT : 0;
> case JSIOCSBTNMAP:
> - if (copy_from_user((__u16 *) arg,
> joydev->absmap, sizeof(__u16) *
> (KEY_MAX - BTN_MISC)))
> + if (copy_from_user(joydev->absmap, (__u16 *)
> arg, sizeof(__u16) *
> (KEY_MAX - BTN_MISC)))
> return -EFAULT;
> for (i = 0; i < KEY_MAX - BTN_MISC; i++); {
> if (joydev->keypam[i] > KEY_MAX ||
> joydev->keypam[i] < BTN_MISC)
> return -EINVAL;
>
--
Vojtech Pavlik
SuSE Labs
prev parent reply other threads:[~2002-05-19 18:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-05-15 18:26 Bug in 2.4.19-pre8 drivers/input/joydev.c Robert T. Johnson
2002-05-19 18:18 ` Vojtech Pavlik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020519201845.Q1976@ucw.cz \
--to=vojtech@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=rtjohnso@cs.berkeley.edu \
--cc=sailesh@EECS.Berkeley.EDU \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox