Re: [CHECKER] pcmcia user-pointer dereference

[Hollis Blanchard (hollisb@us.ibm.com)]

On Thursday, May 29, 2003, at 16:22 US/Central, David Hinds wrote:

> On Thu, May 29, 2003 at 04:11:19PM -0500, Hollis Blanchard wrote:
> > I contacted David Hinds about this; the behavior is by design. User
> > space passes in a pointer to a kernel data structure, and the kernel
> > verifies it by checking a magic number in that structure.
> >
> > It seems possible to perform some activity from user space to get the
> > magic number into (any) kernel memory, then iterate over kernel space
> > by passing pointers to the pcmcia ds_ioctl() until you manage to
> > corrupt something. But I'm not really a security guy...
>
> This ioctl just returns the contents of another field of that same
> data structure that contains the magic number.  So, a malicious user
> could, if they were able to cause another kernel data structure to
> contain that magic number and they knew the address of that data
> structure, use this ioctl to read out the contents of an adjacent
> field that might not have otherwise been user-accessable.  You could
> not corrupt anything with this ioctl.

That's true for pcmcia_get_mem_page. However pcmcia_map_mem_page writes 
into the structure it verifies. I think pcmcia_get_first/next_window 
could also be used to corrupt memory (*handle = win in 
pcmcia_get_window).

> The kernel pointer could be done away with, by instead using an
> integer to represent the position in a linked list of the target data
> structure, which would be the best fix, if someone wants to code it.

That does sound like a better idea. :)

--
Hollis Blanchard
IBM Linux Technology Center

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/