[CHECKER] Is this a bug?

Ken Ashcraft (kash@stanford.edu)
Thu, 1 Nov 2001 11:13:38 -0800 (PST)


Hi,

I'm trying to figure out if the following is a bug, but I don't understand
well enough how files work. This type of bug would be a security hole.
The user length "cmd" gets passed in to the sys_ioctl call. From there, if
it does not match one of the case statements, it is passed to a function
pointer. Here is where I'm hung up: I think a potential function for that
function pointer is ip2_ipl_ioctl-- I think this because it is assigned to
the ioctl field of a file_operations struct at one place in the code:

/* 2.4.12/drivers/char/ip2main.c */
/* This is the driver descriptor for the ip2ipl device, which is used to
* download the loadware to the boards.
*/
static struct file_operations ip2_ipl = {
owner: THIS_MODULE,
read: ip2_ipl_read,
write: ip2_ipl_write,
ioctl: ip2_ipl_ioctl,
open: ip2_ipl_open,
};

ip2_ipl_ioctl does not treat its command argument safely as shown below.

Here are the excerpts from the code:

/* 2.4.9-ac9/fs/ioctl.c:sys_ioctl */
asmlinkage long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long
arg)
{
...
switch (cmd) {
...
default:
error = -ENOTTY;
if (S_ISREG(filp->f_dentry->d_inode->i_mode))
error = file_ioctl(filp, cmd, arg);
else if (filp->f_op && filp->f_op->ioctl)
Call --->
error = filp->f_op->ioctl(filp->f_dentry->d_inode,
filp, cmd, arg);
}
}
/* 2.4.9-ac9/drivers/char/ip2main.c */
static int
ip2_ipl_ioctl ( struct inode *pInode, struct file *pFile, UINT cmd, ULONG
arg )
{
...
switch ( iplminor ) {
...
case 13:
switch ( cmd ) {
...
default:
Error--->
pCh = DevTable[cmd];
if ( pCh )
{
COPY_TO_USER(rc, (char*)arg, (char*)pCh,
sizeof(i2ChanStr) );
}
}
}
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/