Re: [CHECKER] Probable security holes in 2.6.5

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Andrea Arcangeli <andrea@suse.de>
To: Chris Wright <chrisw@osdl.org>
Cc: Ken Ashcraft <ken@coverity.com>,
	linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
	dri-devel@lists.sourceforge.net
Subject: Re: [CHECKER] Probable security holes in 2.6.5
Date: Wed, 21 Apr 2004 03:34:02 +0200	[thread overview]
Message-ID: <20040421013402.GI29954@dualathlon.random> (raw)
In-Reply-To: <20040416115406.X22989@build.pdx.osdl.net>

On Fri, Apr 16, 2004 at 11:54:06AM -0700, Chris Wright wrote:
> * Ken Ashcraft (ken@coverity.com) wrote:
> > [BUG]
> > /home/kash/linux/linux-2.6.5/drivers/char/drm/i810_dma.c:1276:i810_dma_mc: ERROR:TAINT: 1267:1276:Using user value "((mc).idx * 4)" without first performing bounds checks [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [PATH= "(*((*dev).lock).hw_lock).lock & -2147483648 == 0" on line 1271 is false => "copy_from_user != 0" on line 1267 is false]    
> > 	u32 *hw_status = dev_priv->hw_status_page;
> > 	drm_i810_sarea_t *sarea_priv = (drm_i810_sarea_t *)
> > 		dev_priv->sarea_priv;
> > 	drm_i810_mc_t mc;
> > 
> > Start --->
> > 	if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
> > 		return -EFAULT;
> > 
> > 
> > 	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
> > 		DRM_ERROR("i810_dma_mc called without lock held\n");
> > 		return -EINVAL;
> > 	}
> > 
> > Error --->
> > 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
> > 		mc.last_render );
> > 
> > 	atomic_add(mc.used, &dev->counts[_DRM_STAT_SECONDARY]);
> 
> Looks like a possible bug.  Index shouldn't go off end of buflist.
> Perhaps verifying it's below buf_count would do it.  Patch below.
> 
> thanks,
> -chris
> -- 
> Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
> 
> ===== drivers/char/drm/i810_dma.c 1.31 vs edited =====
> --- 1.31/drivers/char/drm/i810_dma.c	Mon Apr 12 10:54:26 2004
> +++ edited/drivers/char/drm/i810_dma.c	Fri Apr 16 11:46:32 2004
> @@ -1275,6 +1275,9 @@
>  		return -EINVAL;
>  	}
>  
> +	if (mc.idx >= dma->buf_count)
> +		return -EINVAL;
> +
>  	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
>  		mc.last_render );

this is wrong, idx is signed, so you've to check for negative values
too. Credit for noticing this doesn't belong to me though.

Could you just in case review the other fixes too for other potential
errors like this? thanks.

this is the correct fix for 2.6 (and it seems 2.4 too):

--- linux/drivers/char/drm/i810_dma.c	Mon Apr 12 10:54:26 2004
+++ linux/drivers/char/drm/i810_dma.c	Fri Apr 16 11:46:32 2004
@@ -1275,6 +1275,9 @@
 		return -EINVAL;
 	}
 
+	if (mc.idx >= dma->buf_count || mc.idx < 0)
+		return -EINVAL;
+
 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
 		mc.last_render );

next prev parent reply	other threads:[~2004-04-21  1:34 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-04-16 17:01 [CHECKER] Probable security holes in 2.6.5 Ken Ashcraft
2004-04-16 18:20 ` Chris Wright
2004-04-16 19:20   ` Jeff Garzik
2004-04-16 22:12     ` Chris Wright
2004-04-19 16:46   ` Jeff Garzik
2004-04-16 18:32 ` Chris Wright
2004-04-16 18:54 ` Chris Wright
2004-04-21  1:34   ` Andrea Arcangeli [this message]
2004-04-21  1:38     ` Chris Wright
2004-04-16 19:19 ` Chris Wright
2004-04-16 19:27 ` Chris Wright
2004-04-17  6:15   ` Rusty Russell
2004-04-16 20:02 ` Chris Wright
2004-04-16 20:23 ` Chris Wright
2004-04-17  0:16 ` Chris Wright
2004-04-17  1:00 ` Chris Wright
2004-04-19 16:27   ` Jeff Garzik
2004-04-19 19:09 ` Chris Wright
2004-04-19 20:38 ` Chris Wright

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040421013402.GI29954@dualathlon.random \
    --to=andrea@suse.de \
    --cc=chrisw@osdl.org \
    --cc=dri-devel@lists.sourceforge.net \
    --cc=ken@coverity.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mc@cs.stanford.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox