1. ds_ioctl is assigned to file_operantions.ioctl
so its argument 'arg' is tainted. verify_area are
also called on 'arg', which confirms.
2. copy_from_user (&buf, arg, _) copies in the content of arg
3. buf.win_info.handle is thus a user provided pointer.
4. pcmcia_get_mem_page dereferences its first parameter, in this case
buf.win_info.handle
-Junfeng
On Sun, 11 May 2003, Junfeng Yang wrote:
>
> Hi,
>
> Below is a warning found in pcmcia/ds.c, where user pointer is
> dereferenced without check. Please confirm or clarify, Thanks!
>
> -Junfeng
>
> ---------------------------------------------------------
>
> [BUG] buf is tainted implies buf.win_info.handle is tainted.
> pcmcia_get_mem_page dereferences its first parameter
>
> /home/junfeng/linux-tainted/drivers/pcmcia/ds.c:814:ds_ioctl:
> ERROR:TAINTED: 814:814:deref tainted component 'buf.win_info.handle'
> [struct=win_info_t.handle] [type=call]
>
> break;
> case DS_GET_NEXT_WINDOW:
> ret = pcmcia_get_next_window(&buf.win_info.handle,
> &buf.win_info.window);
> break;
> case DS_GET_MEM_PAGE:
>
> Error --->
> ret = pcmcia_get_mem_page(buf.win_info.handle,
> &buf.win_info.map);
> break;
> case DS_REPLACE_CIS:
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/