[CHECKER] aacraid user pointer use
From: Hollis Blanchard (hollisb@us.ibm.com)
Date: Fri May 30 2003 - 11:01:55 EST
Stanford checker said:
---------------------------------------------------------
[BUG] at least bad programming practice. file_opetations.ioctl ->
aac_cfg_ioctl -> aac_do_ioctl -> close_getadapter_fib ->
aac_close_fib_context. All other functions called by aac_do_ioctl assume
arg is a user pointer. It is unknown what will happen.
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/
commctrl.c:277:aac_close_fib_context:
ERROR:TAINTED:277:277: dereferencing tainted ptr 'fibctx' [Callstack:
/home/junfeng/linux-2.5.63/drivers/scsi/sg.c:1002:aac_cfg_ioctl((tainted
3)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/
linit.c:671:aac_do_ioctl((tainted
2)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/
commctrl.c:421:close_getadapter_fib((tainted
1)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/
commctrl.c:348:aac_close_fib_context((tainted
1))]
while (!list_empty(&fibctx->fibs)) {
struct list_head * entry;
/*
* Pull the next fib from the fibs
*/
Error --->
entry = fibctx->fibs.next;
list_del(entry);
fib = list_entry(entry, struct hw_fib, header.FibLinks);
fibctx->count--;
---------------------------------------------------------
As it turns out, the driver is fine. It is dereferencing a
user-supplied pointer (fibctx), but it keeps a list of valid structures
and has already made sure fibctx is one of them before using it. This
is in contrast to the PCMCIA code, which uses a magic number to verify
(as discussed yesterday) rather than keeping a list of all valid
pointers.
The attached aacraid patch may help the checker, and should be
functionally equivalent... but isn't necessary.
--
Hollis Blanchard
IBM Linux Technology Center
Attachment:
aacraid-userptr.diff
Description: Binary data