Re: [CHECKER] 8 probable security errors

Alan Cox (alan@lxorguk.ukuu.org.uk)
Fri, 2 Nov 2001 23:38:22 +0000 (GMT)


>
> Start --->
> if (cmd.length){
> Error --->
> if( copy_from_user((void*)&mbox->data, u_data, cmd.length))
> return -EFAULT;

You have to be priviledged for this

> [BUG] tex gets copied in on line 1365. there are a number of paths to get to this error (gem)
> /home/kash/linux/2.4.12-ac3/drivers/char/drm/radeon_state.c:1107:radeon_cp_dispatch_texture: ERROR:RANGE:1000:1107: Using user length "tex_width" as argument to "copy_from_user" [type=LOCAL] [state = need_lb] set by 'inferred by call to copy_to_user, line 1058':1000 [linkages -> 1000:tex_width=(null) -> 1000:width op (null) -> 1000:tex->width -> 1000:tex:start] [distance=82]

This one looks real. Im still waiting for answers from the DRI folks

> [BUG]3 i think so. there is a check (dump.offset + dump.length >
> card->hw.memory)) that can be fooled with well chosen offset values.

Again firmware and privilegded

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/