On Sun, 27 Apr 2003, Nick Holloway wrote:
> In list.linux-kernel yjf@stanford.edu (Junfeng Yang) wrote:
> > [BUG] on VIDIOCGCAPUTRE and VIDIOCSCAPUTRE branches copy_*_user functions are called. on other branches not
> > /home/junfeng/linux-tainted/drivers/media/video/cpia.c:3432:cpia_do_ioctl: ERROR:TAINTED:3432:3432: dereferencing tainted ptr 'vp' [Callstack: ]
> >
> > DBG("VIDIOCSPICT\n");
> >
> > /* check validity */
> > DBG("palette: %d\n", vp->palette);
> > DBG("depth: %d\n", vp->depth);
> >
> > Error --->
> > if (!valid_mode(vp->palette, vp->depth)) {
> > retval = -EINVAL;
> > break;
> > }
> > ---------------------------------------------------------
>
> I can't see this. This code fragment is from cpia_do_ioctl. This is
> never called directly, the entry point is cpia_ioctl, which always passes
> ioctl calls to video_usercopy (which calls cpia_do_ioctl through the
> supplied function pointer).
>
> In video_usercopy, it calls copy_from_user for an _IOW ioctl (which
> VIDIOCSPICT is). There is certainly no differentiation between the
> different ioctl calls made by video_usercopy.
Hi,
Our checker finds an inconsistencies in this function. For case branch
"VIDIOCSCAPTURE" and "VIDIOCGCAPTUER", copy_from_user is called on
argument "arg", which implies arg is a user-pointer. The checker isn't
smart enough to figure out if the dereferences in other branches are
errors or the copy_*_user calls are errors.
I checked videodev.h, where VIDIOCGCAPTURE and VIDIOCSCAPTUER are defined
as _IOR ... and _IOW. does that mean the copy_from_user calls on case
branch VIDIOCGCPAUTER and VIDIOCSCAPUTER are on kernel pointers?
-Junfeng
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Apr 30 2003 - 22:00:27 EST