Re: [CHECKER] security errors for 2.4.9 and 2.4.9-ac7

Petr Vandrovec (vandrove@vc.cvut.cz)
Tue, 4 Sep 2001 23:56:55 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Samium Gromoff: "procFS performance"
Previous message: Andries.Brouwer@cwi.nl: "Re: [resend PATCH] reserve BLKGETSIZE64 ioctl"

On Tue, Sep 04, 2001 at 02:07:05PM -0700, Kenneth Michael Ashcraft wrote:
> /home/kash/linux/2.4.9/fs/ncpfs/ioctl.c:394:ncp_ioctl: ERROR:RANGE:387:394: Using user length "outl" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] set by 'copy_from_user':387 [linkages -> 387:outl=object_name_len -> 387:user->object_name
>
> if (copy_from_user(&user,
> (struct ncp_objectname_ioctl*)arg,
> sizeof(user))) return -EFAULT;
> user.auth_type = server->auth.auth_type;
> Start --->
> outl = user.object_name_len;
> user.object_name_len = server->auth.object_name_len;
> if (outl > user.object_name_len)
> outl = user.object_name_len;
> if (outl) {
> if (copy_to_user(user.object_name,
> server->auth.object_name,
> Error --->
> outl)) return -EFAULT;
> }
> if (copy_to_user((struct ncp_objectname_ioctl*)arg,
> &user,
> ---------------------------------------------------------
> [BUG] make user.len large enough so that outl becomes negative. outl will then be < server->priv.len and make it past the check (gem)
> /home/kash/linux/2.4.9/fs/ncpfs/ioctl.c:462:ncp_ioctl: ERROR:RANGE:456:462: Using user length "outl" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] set by 'copy_from_user':456 [linkages -> 456:outl=len -> 456:user->len -> 456:user:start]

Hi Kenneth,
I'll fix these two - but fortunately they are no problem even now.
Although outl is defined as 'int', it is compared against
'user.object_name_len', which is 'size_t' (which is unsigned int),
so whole comparsion is done unsigned and not signed. Thanks
for spotting anyway, there is no reason why it should not be
size_t.
Petr Vandrovec
vandrove@vc.cvut.cz

P.S.: And report about drivers/video/matrox/matroxfb_crtc2:535
is completely innocent - it passes these three mentioned
ioctl types down to first head's ioctl handler (and it is
not sisfb_ioctl, definitely... usually it is matroxfb_ioctl
from matroxfb_base.c).

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Samium Gromoff: "procFS performance"
Previous message: Andries.Brouwer@cwi.nl: "Re: [resend PATCH] reserve BLKGETSIZE64 ioctl"