[PATCH] Re: [CHECKER] security errors for 2.4.9 and 2.4.9-ac7

Philipp Matthias Hahn (pmhahn@titan.lahn.de)
Fri, 7 Sep 2001 08:51:18 +0200 (CEST)


Hello Linus, Alan, Dag, LKML, IrDA!

Please apply, the patch was sent to Dag and Jean, Jean gave his OK, Dag
didn't reply. The patch is obvious correct.

--- linux-2.4.7/net/irda/af_irda.c~ Thu Jul 12 14:21:06 2001
+++ linux-2.4.7/net/irda/af_irda.c Sat Jul 14 12:36:07 2001
@@ -2035,7 +2035,7 @@
if (get_user(len, optlen))
return -EFAULT;

- if(optlen < 0)
+ if(len < 0)
return -EINVAL;

switch (optname) {

On Tue, 4 Sep 2001, Kenneth Michael Ashcraft wrote:

> I've extended the security checker (makes sure that user lengths are
> bounds checked) quite a bit since my last report on July 13. The checker
> makes sure that bounds checks are present before a user length is:
...
> 1 | /home/kash/linux/2.4.9/net/irda/af_irda.c/
...
> ---------------------------------------------------------
> [BUG] looks like it
> /home/kash/linux/2.4.9/net/irda/af_irda.c:2064:irda_getsockopt: ERROR:RANGE:2063:2064: Using user length "(null)" as argument to "copy_to_user" [type=LOCAL] [state = tainted] set by 'get_user':2064 [linkages -> 2063:len:start] [distance=3]
> sizeof(struct irda_device_info);
>
> /* Copy the list itself */
> total = offset + (list.len * sizeof(struct irda_device_info));
> if (total > len)
> Start --->
> total = len;
> Error --->
> if (copy_to_user(optval+offset, discoveries, total - offset))
> err = -EFAULT;
>
> /* Write total number of bytes used back to client */
> ---------------------------------------------------------

BYtE
Philipp

-- 
  / /  (_)__  __ ____  __ Philipp Hahn
 / /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\ pmhahn@titan.lahn.de

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/