Re: [CHECKER] 5 potential user-pointer errors that allow arbitrary reads from kernel

Greg KH (greg@kroah.com)
Thu, 1 May 2003 13:52:19 -0700

On Wed, Apr 30, 2003 at 09:39:18PM -0700, Junfeng Yang wrote:
> ---------------------------------------------------------
> [BUG] proc_dir_entry.write_proc can take tainted inputs
>
> /home/junfeng/linux-2.5.63/drivers/usb/media/vicam.c:1117:vicam_write_proc_gain:
> ERROR:TAINTED:1117:1117: passing tainted ptr 'buffer' to simple_strtoul
> [Callstack:
> /home/junfeng/linux-2.5.63/net/core/pktgen.c:991:vicam_write_proc_gain((tainted
> 1))]
>
> static int vicam_write_proc_gain(struct file *file, const char *buffer,
> unsigned long count, void *data)
> {
> struct vicam_camera *cam = (struct vicam_camera *)data;
>
>
> Error --->
> cam->gain = simple_strtoul(buffer, NULL, 10);

Real bug, I'll fix this.

> ---------------------------------------------------------
> [BUG] proc_dir_entry.write_proc can take tainted inputs
>
> /home/junfeng/linux-2.5.63/drivers/usb/media/vicam.c:1107:vicam_write_proc_shutter:
> ERROR:TAINTED:1107:1107: passing tainted ptr 'buffer' to simple_strtoul
> [Callstack:
> /home/junfeng/linux-2.5.63/net/core/pktgen.c:991:vicam_write_proc_shutter((tainted
> 1))]
>
> static int vicam_write_proc_shutter(struct file *file, const char *buffer,
> unsigned long count, void *data)
> {
> struct vicam_camera *cam = (struct vicam_camera *)data;
>
>
> Error --->
> cam->shutter_speed = simple_strtoul(buffer, NULL, 10);

Again, real bug, I'll fix it.

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/