Re: [CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data

From: Greg KH (greg@kroah.com)
Date: Tue Apr 29 2003 - 02:25:00 EST


On Sun, Apr 27, 2003 at 11:43:56PM -0700, Junfeng Yang wrote:
>
> ---------------------------------------------------------
> [BUG] buf is tainted. can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/empeg.c:225:empeg_write:
> ERROR:TAINTED:225:225: passing tainted ptr 'buf' to usb_serial_debug_data
> [Callstack:
> /home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:empeg_write((tainted
> 2))]
>
> int bytes_sent = 0;
> int transfer_size;
>
> dbg("%s - port %d", __FUNCTION__, port->number);
>
>
> Error --->
> usb_serial_debug_data (__FILE__, __FUNCTION__, count, buf);
>
> while (count > 0) {

Real problem, I'll fix it.

> ---------------------------------------------------------
> [BUG] can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/ipaq.c:371:ipaq_write:
> ERROR:TAINTED:371:371: passing tainted ptr 'buf' to usb_serial_debug_data
> [Callstack:
> /home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:ipaq_write((tainted
> 2))]
>
> int bytes_sent = 0;
> int transfer_size;
>
> dbg("%s - port %d", __FUNCTION__, port->number);
>
>
> Error --->
> usb_serial_debug_data(__FILE__, __FUNCTION__, count, buf);

Real problem, I'll fix it.

> ---------------------------------------------------------
> [BUG] can print out arbitrary kernel data if debug is on
> /home/junfeng/linux-tainted/drivers/usb/serial/keyspan.c:328:keyspan_write:
> ERROR:TAINTED:328:328: dereferencing tainted ptr 'buf' [Callstack: ]
>
>
> p_priv = usb_get_serial_port_data(port);
> d_details = p_priv->device_details;
>
> dbg("%s - for port %d (%d chars [%x]), flip=%d",
>
> Error --->
> __FUNCTION__, port->number, count, buf[0], p_priv->out_flip);

Real problem, I'll fix it.

> ---------------------------------------------------------
> [BUG] at least bad programming practice. call usb_serial_debug_data on
> tainted pointer data. it is verified by previous call to copy_*_user.
>
> /home/junfeng/linux-tainted/drivers/usb/serial/io_edgeport.c:1381:edge_write:
> ERROR:TAINTED:1381:1381: passing tainted ptr 'data' to
> usb_serial_debug_data [Callstack: ]
>
> fifo->head += secondhalf;
> // No need to check for wrap since we can not get to end
> of fifo in this part
> }
>
> if (copySize) {
>
> Error --->
> usb_serial_debug_data (__FILE__, __FUNCTION__, copySize,
> data);

Again, a real problem, I'll fix it.

Thanks a lot for finding these, I think these problems are also in
2.4...

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed Apr 30 2003 - 22:00:31 EST