Re: [CHECKER] pcmcia user-pointer dereference

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: David Hinds <dhinds@sonic.net>
To: Hollis Blanchard <hollisb@us.ibm.com>
Cc: linux-kernel@vger.kernel.org, Junfeng Yang <yjf@stanford.edu>
Subject: Re: [CHECKER] pcmcia user-pointer dereference
Date: Thu, 29 May 2003 14:22:38 -0700	[thread overview]
Message-ID: <20030529142238.A8933@sonic.net> (raw)
In-Reply-To: <17ACEE5A-921A-11D7-B8B8-000A95A0560C@us.ibm.com>

On Thu, May 29, 2003 at 04:11:19PM -0500, Hollis Blanchard wrote:
> 
> I contacted David Hinds about this; the behavior is by design. User 
> space passes in a pointer to a kernel data structure, and the kernel 
> verifies it by checking a magic number in that structure.
> 
> It seems possible to perform some activity from user space to get the 
> magic number into (any) kernel memory, then iterate over kernel space 
> by passing pointers to the pcmcia ds_ioctl() until you manage to 
> corrupt something. But I'm not really a security guy...

This ioctl just returns the contents of another field of that same
data structure that contains the magic number.  So, a malicious user
could, if they were able to cause another kernel data structure to
contain that magic number and they knew the address of that data
structure, use this ioctl to read out the contents of an adjacent
field that might not have otherwise been user-accessable.  You could
not corrupt anything with this ioctl.

The kernel pointer could be done away with, by instead using an
integer to represent the position in a linked list of the target data
structure, which would be the best fix, if someone wants to code it.

- Dave

next prev parent reply	other threads:[~2003-05-29 21:09 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-29 21:11 [CHECKER] pcmcia user-pointer dereference Hollis Blanchard
2003-05-29 21:22 ` David Hinds [this message]
2003-05-29 21:30   ` Hollis Blanchard
2003-05-29 21:36     ` David Hinds
2003-05-30 10:11       ` Alan Cox
2003-05-30 10:10 ` Alan Cox
2003-05-31 22:46 ` David Wagner
     [not found] <E19LjBL-0000FS-00@mrrp.telinco.co.uk>
2003-05-30 12:43 ` Mike Playle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030529142238.A8933@sonic.net \
    --to=dhinds@sonic.net \
    --cc=hollisb@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=yjf@stanford.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox