Re: PATCH: 2.6.7-rc3 drivers/message/i2o/i2o_config.c: user/kernel pointer bugs

[viro]

On Wed, Jun 09, 2004 at 04:01:02PM -0700, Robert T. Johnson wrote:
> Since arg is a user pointer, accessing values like cmd->iop requires an 
> unsafe user pointer dereference.
> 
> QUESTION: Does ioctl_passthru mean arg is a kernel pointer?  If so, then
> disregard this bug report.

No - we have ->ioctl [== cfg_ioctl()] -> ioctl_passthru() chain in there,
so at the very least it can get arbitrary pointers straight from userland.

And yes, these cmd->iop and cmd->msg dereferences are broken.

> +	if (copy_from_user(&cmd, (void *)arg, sizeof(cmd)))
> +	  return -EFAULT;

Fix the indentation, please.

> -	memset(&msg, 0, MSG_FRAME_SIZE*4);
> +	memset(msg, 0, MSG_FRAME_SIZE*4);

Not needed; they are equivalent and both legitimate.  So that just clutters
the patch.

> -		memset(&msg, 0, MSG_FRAME_SIZE*4);
> +		memset(msg, 0, MSG_FRAME_SIZE*4);

Ditto.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/