Indeed; the bug in the uuid_strategy which you pointed out in the
random driver wasn't caused by the fact that we were using a
user-specified length (since the length was being capped to a maximum
value of 16). The security bug was that the test was done on a signed
value, and copy_to_user() takes an unsigned value.
So your checker found a real bug, but it wasn't the one that the
checker thought it was. :-)
Alan, I assume you've fixed this already, but here's a patch in case
you haven't. Note this also fixes the problem the problem pointed out
by Florian Weimer about copy_to_user being passed a null pointer in
the RANDOM_UUID case.
- Ted
--- random.c 2001/06/09 18:05:08 1.1
+++ random.c 2001/06/09 18:05:19
@@ -1793,7 +1793,7 @@
void *newval, size_t newlen, void **context)
{
unsigned char tmp_uuid[16], *uuid;
- int len;
+ unsigned int len;
if (!oldval || !oldlenp)
return 1;
@@ -1810,7 +1810,7 @@
if (len) {
if (len > 16)
len = 16;
- if (copy_to_user(oldval, table->data, len))
+ if (copy_to_user(oldval, uuid, len))
return -EFAULT;
if (put_user(len, oldlenp))
return -EFAULT;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/