The Stanford checker said:
---------------------------------------------------------
[BUG] pass kernel pointer into copy_*_user. bug is in VIDIOCGTUNER.
Should
not call copy_to_user on arg since arg is already in kernel space.
/home/junfeng/linux-2.5.63/drivers/media/radio/radio-
cadet.c:397:cadet_do_ioctl:
ERROR:TAINTED:397:397: dereferencing tainted ptr 'v' [Callstack: ]
{
case VIDIOCGCAP:
{
struct video_capability *v = arg;
memset(v,0,sizeof(*v));
Error --->
v->type=VID_TYPE_TUNER;
v->channels=2;
v->audios=1;
strcpy(v->name, "ADS Cadet");
---------------------------------------------------------
As pointed out, 'v' is not tainted. The driver shouldn't be using
copy_to_user() in cadet_do_ioctl() at all: cadet_do_ioctl() is being
called by drivers/media/video/videodev.c:video_usercopy(), which has
already copied the buffer 'arg' (aka 'v') into kernel space, and will
copy it back after cadet_do_ioctl() returns. So all the direct 'v'
accesses are correct.
-- Hollis Blanchard IBM Linux Technology Center
===== drivers/media/radio/radio-cadet.c 1.13 vs edited ===== --- 1.13/drivers/media/radio/radio-cadet.c Fri Apr 4 11:34:37 2003 +++ edited/drivers/media/radio/radio-cadet.c Wed May 28 17:36:32 2003 @@ -389,9 +389,6 @@ v->flags|=VIDEO_TUNER_STEREO_ON; } v->flags|=cadet_getrds(); - if(copy_to_user(arg,&v, sizeof(v))) { - return -EFAULT; - } break; case 1: strcpy(v->name,"AM"); @@ -402,9 +399,6 @@ v->mode=0; v->mode|=VIDEO_MODE_AUTO; v->signal=sigstrength; - if(copy_to_user(arg,&v, sizeof(v))) { - return -EFAULT; - } break; } return 0;
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jun 07 2003 - 22:00:18 EST