Re: [CHECKER] Probable security holes in 2.6.5
From: Chris Wright
Date: Fri Apr 16 2004 - 13:34:29 EST
* Ken Ashcraft (ken@xxxxxxxxxxxx) wrote:
> [BUG]
> /home/kash/linux/linux-2.6.5/drivers/scsi/gdth.c:5068:ioc_general:
> ERROR:TAINT: 5059:5068:Passing unbounded user value "((gen).data_len +
> (gen).sense_len)" as arg 2 to function "copy_from_user", which uses it
> unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
> [SINK_MODEL=(lib,copy_from_user,user,trustingsink)] [PATH=
> "((gen).data_len + (gen).sense_len) != 0" on line 5064 is false =>
> "(gen).ionode >= gdth_ctr_count" on line 5059 is false =>
> "copy_from_user != 0" on line 5059 is false]
> #else
> Scsi_Cmnd scp;
> Scsi_Device sdev;
> #endif
>
> Start --->
> if (copy_from_user(&gen, (char *)arg,
> sizeof(gdth_ioctl_general)) ||
> gen.ionode >= gdth_ctr_count)
> return -EFAULT;
> hanum = gen.ionode;
> ha = HADATA(gdth_ctr_tab[hanum]);
> if (gen.data_len + gen.sense_len != 0) {
> if (!(buf = gdth_ioctl_alloc(hanum, gen.data_len +
> gen.sense_len,
> FALSE, &paddr)))
> return -EFAULT;
> Error --->
> if (copy_from_user(buf, (char *)arg +
> sizeof(gdth_ioctl_general),
> gen.data_len + gen.sense_len)) {
> gdth_ioctl_free(hanum, gen.data_len+gen.sense_len, buf,
> paddr);
> return -EFAULT;
Agreed this looks like it should be limited, but I'm not sure what valid
limits might be. Seems this will specify size to pci_alloc_consitent(),
and then use that buffer.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/