[CHECKER] user-pointer bugs in 2.4.4 and 2.4.4-ac8

From: Dawson Engler (engler@csl.Stanford.EDU)
Date: Thu May 24 2001 - 16:12:02 EST


Hi All,

Enclosed are 10 probable security holes where code treats a pointer as
a bad user pointer in one place (by passing it as an argument to a
*_user or verify_area routine) but then dereferences it, or passes it
to a routine that does dereference it somewhere else.

We've reported many of these bugs before.

        Summary for
                2.4.4ac8-specific errors = 4
                2.4.4-specific errors = 0
                Common errors = 6
                Total = 10

Dawson

# BUGs | File Name
5 | drivers/isdn/eicon/linchr.c
3 | drivers/net/appletalk/ipddp.c
1 | net/decnet/af_decnet.c
1 | drivers/telephony/ixj.c

############################################################
# 2.4.4ac8 specific errors
#
---------------------------------------------------------
[BUG] supposed to at least be bad form.
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:64:do_ioctl: ERROR:PARAM:62:64: tainted var 'pDivaConfig' (from line 62) used as arg 0 to 'DivasCardConfig'
        switch (command)
        {
                case DIA_IOCTL_CONFIG:
                        pDivaConfig = (dia_config_t *) arg;
                        
Start --->
                        if (!verify_area(VERIFY_READ, pDivaConfig, sizeof(dia_config_t)))
                        {
Error --->
                                DivasCardConfig(pDivaConfig);
                        }
                        else
                        {
---------------------------------------------------------
[BUG]supposed to at least be bad form.
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:186:do_ioctl: ERROR:PARAM:184:186: tainted var 'mem_block' (from line 184) used as arg 0 to 'DivasGetMem'
                        return 0;

                case DIA_IOCTL_GET_MEM:
                        mem_block = (mem_block_t *) arg;
                        
Start --->
                        if (!verify_area(VERIFY_WRITE, mem_block, sizeof(mem_block_t)))
                        {
Error --->
                                DivasGetMem(mem_block);
                        }
                        else
                        {
---------------------------------------------------------
[BUG]supposed to at least be bad form.
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:131:do_ioctl: ERROR:PARAM:129:131: tainted var 'pDivaLog' (from line 129) used as arg 0 to 'DivasLog'
                        return 0;

                case DIA_IOCTL_LOG:
                        pDivaLog = (dia_log_t *) arg;
                        
Start --->
                        if (!verify_area(VERIFY_READ, pDivaLog, sizeof(dia_log_t)))
                        {
Error --->
                                DivasLog(pDivaLog);
                        }
                        else
                        {
---------------------------------------------------------
[BUG]supposed to at least be bad form.
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:172:do_ioctl: ERROR:PARAM:142:172: tainted var 'arg' (from line 142) used as arg 0 to 'DivasGetList'
                        }
                        return 0;

                case DIA_IOCTL_XLOG_REQ:
                        
Start --->
                        if (!verify_area(VERIFY_READ, (void *)arg, sizeof(word)))

        ... DELETED 24 lines ...

                case DIA_IOCTL_GET_LIST:
                        DPRINTF(("divas: DIA_IOCTL_GET_LIST"));
                        
                        if (!verify_area(VERIFY_WRITE, (void *)arg, sizeof(dia_card_list_t)))
                        {
Error --->
                                DivasGetList((dia_card_list_t *)arg);
                        }
                        else
                        {

############################################################
# errors common to both

#
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:268:ipddp_ioctl: ERROR:PARAM:268:268: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_find_route'
        {
                case SIOCADDIPDDPRT:
                        return (ipddp_create(rt));

                case SIOCFINDIPDDPRT:

Error --->
                        if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route)))
---------------------------------------------------------
[BUG] but minor i think
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:97:do_ioctl: ERROR:PARAM:95:97: Deref tainted var 'pDivaStart' (tainted from line 95)
                        return 0;

                case DIA_IOCTL_START:
                        pDivaStart = (dia_start_t *) arg;
                        
Start --->
                        if (!verify_area(VERIFY_READ, pDivaStart, sizeof(dia_start_t)))
                        {
Error --->
                                return DivasCardStart(pDivaStart->card_id);
                        }
                        else
                        {
---------------------------------------------------------
[BUG]
        ipddp_find derefs this struct.
        struct at_addr
        {
                __u16 s_net;
                __u8 s_node;
        };
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:265:ipddp_ioctl: ERROR:PARAM:268:265: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_create'
                return -EPERM;

        switch(cmd)
        {
                case SIOCADDIPDDPRT:
Error --->
                        return (ipddp_create(rt));

                case SIOCFINDIPDDPRT:
Start --->
                        if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route)))
                                return -EFAULT;
                        return 0;

---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:273:ipddp_ioctl: ERROR:PARAM:268:273: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_delete'
        {
                case SIOCADDIPDDPRT:
                        return (ipddp_create(rt));

                case SIOCFINDIPDDPRT:
Start --->
                        if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route)))
                                return -EFAULT;
                        return 0;

                case SIOCDELIPDDPRT:
Error --->
                        return (ipddp_delete(rt));

                default:
                        return -EINVAL;
---------------------------------------------------------
[BUG] seems pretty confused.
/u2/engler/mc/oses/linux/2.4.4-ac8/net/decnet/af_decnet.c:1491:__dn_getsockopt: ERROR:PARAM:1438:1491: Deref tainted var 'optlen' (tainted from line 1438)
        struct linkinfo_dn link;
        unsigned int r_len;
        void *r_data = NULL;
        unsigned int val;

Start --->
        if(get_user(r_len , optlen))

        ... DELETED 47 lines ...

                        break;

                default:
#ifdef CONFIG_NETFILTER
                {
Error --->
                        int val, len = *optlen;
                        val = nf_getsockopt(sk, PF_DECnet, optname,
                                                        optval, &len);
                        if (val >= 0)
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.4-ac8/drivers/telephony/ixj.c:5063:ixj_ioctl: ERROR:PARAM:4702:5063: tainted var 'arg' (from line 4702) used as arg 1 to 'capabilities_check'
                break;
        case IXJCTL_SERIAL:
                retval = j->serial;
                break;
        case IXJCTL_VERSION:
Start --->
                if (copy_to_user((char *) arg, ixj_c_revision, strlen(ixj_c_revision)))

        ... DELETED 355 lines ...

        case PHONE_CAPABILITIES_LIST:
                if (copy_to_user((char *) arg, j->caplist, sizeof(struct phone_capability) * j->caps))
                         return -EFAULT;
                break;
        case PHONE_CAPABILITIES_CHECK:
Error --->
                retval = capabilities_check(j, (struct phone_capability *) arg);
                break;
        case PHONE_PSTN_SET_STATE:
                daa_set_mode(j, arg);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu May 31 2001 - 21:00:19 EST