[CHECKER] pcmcia user-pointer dereference

Hollis Blanchard (hollisb@us.ibm.com)
Thu, 29 May 2003 16:11:19 -0500

On Mon, 12 May 2003 Junfeng wrote:
>
> here is a detailed explanation in case the warnning itself isn't clear:
>
> 1. ds_ioctl is assigned to file_operantions.ioctl
> so its argument 'arg' is tainted. verify_area are
> also called on 'arg', which confirms.
>
> 2. copy_from_user (&buf, arg, _) copies in the content of arg
>
> 3. buf.win_info.handle is thus a user provided pointer.
>
> 4. pcmcia_get_mem_page dereferences its first parameter, in this case
> buf.win_info.handle

I contacted David Hinds about this; the behavior is by design. User
space passes in a pointer to a kernel data structure, and the kernel
verifies it by checking a magic number in that structure.

It seems possible to perform some activity from user space to get the
magic number into (any) kernel memory, then iterate over kernel space
by passing pointers to the pcmcia ds_ioctl() until you manage to
corrupt something. But I'm not really a security guy...

-- 
Hollis Blanchard
IBM Linux Technology Center


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/