From: Chris Wright <chrisw@osdl.org>
To: Ken Ashcraft <ken@coverity.com>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
achim_leubner@adaptec.com
Subject: Re: [CHECKER] Probable security holes in 2.6.5
Date: Fri, 16 Apr 2004 11:32:39 -0700 [thread overview]
Message-ID: <20040416113239.W22989@build.pdx.osdl.net> (raw)
In-Reply-To: <1082134916.19301.7.camel@dns.coverity.int>; from ken@coverity.com on Fri, Apr 16, 2004 at 10:01:57AM -0700
* Ken Ashcraft (ken@coverity.com) wrote:
> [BUG]
> /home/kash/linux/linux-2.6.5/drivers/scsi/gdth.c:5068:ioc_general:
> ERROR:TAINT: 5059:5068:Passing unbounded user value "((gen).data_len +
> (gen).sense_len)" as arg 2 to function "copy_from_user", which uses it
> unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
> [SINK_MODEL=(lib,copy_from_user,user,trustingsink)] [PATH=
> "((gen).data_len + (gen).sense_len) != 0" on line 5064 is false =>
> "(gen).ionode >= gdth_ctr_count" on line 5059 is false =>
> "copy_from_user != 0" on line 5059 is false]
> #else
> Scsi_Cmnd scp;
> Scsi_Device sdev;
> #endif
>
> Start --->
> if (copy_from_user(&gen, (char *)arg,
> sizeof(gdth_ioctl_general)) ||
> gen.ionode >= gdth_ctr_count)
> return -EFAULT;
> hanum = gen.ionode;
> ha = HADATA(gdth_ctr_tab[hanum]);
> if (gen.data_len + gen.sense_len != 0) {
> if (!(buf = gdth_ioctl_alloc(hanum, gen.data_len +
> gen.sense_len,
> FALSE, &paddr)))
> return -EFAULT;
> Error --->
> if (copy_from_user(buf, (char *)arg +
> sizeof(gdth_ioctl_general),
> gen.data_len + gen.sense_len)) {
> gdth_ioctl_free(hanum, gen.data_len+gen.sense_len, buf,
> paddr);
> return -EFAULT;
Agreed this looks like it should be limited, but I'm not sure what valid
limits might be. Seems this will specify size to pci_alloc_consitent(),
and then use that buffer.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
next prev parent reply other threads:[~2004-04-16 18:32 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-16 17:01 [CHECKER] Probable security holes in 2.6.5 Ken Ashcraft
2004-04-16 18:20 ` Chris Wright
2004-04-16 19:20 ` Jeff Garzik
2004-04-16 22:12 ` Chris Wright
2004-04-19 16:46 ` Jeff Garzik
2004-04-16 18:32 ` Chris Wright [this message]
2004-04-16 18:54 ` Chris Wright
2004-04-21 1:34 ` Andrea Arcangeli
2004-04-21 1:38 ` Chris Wright
2004-04-16 19:19 ` Chris Wright
2004-04-16 19:27 ` Chris Wright
2004-04-17 6:15 ` Rusty Russell
2004-04-16 20:02 ` Chris Wright
2004-04-16 20:23 ` Chris Wright
2004-04-17 0:16 ` Chris Wright
2004-04-17 1:00 ` Chris Wright
2004-04-19 16:27 ` Jeff Garzik
2004-04-19 19:09 ` Chris Wright
2004-04-19 20:38 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040416113239.W22989@build.pdx.osdl.net \
--to=chrisw@osdl.org \
--cc=achim_leubner@adaptec.com \
--cc=ken@coverity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox