52 probable security holes in 2.4.6 and 2.4.6-ac2

52 probable security holes in 2.4.6 and 2.4.6-ac2

Post by Kenneth Michael Ashcraf » Sun, 15 Jul 2001 08:30:11



Hi All,

Here are a bunch of probable security errors.  They have been sorted
into the appropriate source trees:

#  2.4.6-specific errors                  = 7
#  2.4.6ac2-specific errors               = 9
#  Common errors                          = 36
#  Total                                  = 52

These errors occur because user input (data from copy_from_user, get_user,
etc.) is used without being checked in the following ways:

        1. passed as a length argument to copy_*user (or passed to a
                function that does)
        2. is used as an array index.
        3. used as part of a pointer expression (e.g. ptr + user_value)
        4. passed as the size argument to *malloc (this is a minor bug
                as *malloc will fail if the size is too large, but that
                doesn't seem to be the best way to do bounds checking.)
        5. used as part of the conditional expression of a loop (most of
                the time these errors result in the user being able to
                make the loop go for a long time.)

I would like to extend this checker to look at data received from the network
because those errors would be remotely exploitable.  My understanding is that
this type of data would be in skb->data fields.  Are there other places that
the checker should be looking?  Also, how can we determine if the skb is on
the way in or the way out?  I know that we can look at the number of
assignments to the struct vs the number of assignments from the struct, but
if there is a naming convention or something similar, it would make things a
lot easier.

Further, if anyone has any ideas on other security checks that we should
be doing, please send me an email.

Ken Ashcraft
k...@stanford.edu

# BUGs  |       File Name
3       |       /home/kash/linux/2.4.6/drivers/block/DAC960.c/
3       |       /home/kash/linux/2.4.6/drivers/char/moxa.c/
3       |       /home/kash/linux/2.4.6/drivers/char/drm/mga_bufs.c/
2       |       /home/kash/linux/2.4.6/drivers/net/wan/sdla.c/
2       |       /home/kash/linux/2.4.6/drivers/cdrom/cdrom.c/
2       |       /home/kash/linux/2.4.6/drivers/char/drm/bufs.c/
2       |       /home/kash/linux/2.4.6/drivers/char/drm/i810_bufs.c/
2       |       /home/kash/linux/2.4.6/drivers/scsi/megaraid.c/
2       |       /home/kash/linux/2.4.6/drivers/i2o/i2o_config.c/
2       |       /home/kash/linux/2.4.6/drivers/scsi/scsi_ioctl.c/
2       |       /home/kash/linux/2.4.6/drivers/char/sx.c/
1       |       /home/kash/linux/2.4.6/drivers/md/lvm.c/
1       |       /home/kash/linux/2.4.6/drivers/usb/devio.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/media/video/stradis.c/
1       |       /home/kash/linux/2.4.6/drivers/net/wan/sdlamain.c/
1       |       /home/kash/linux/2.4.6/drivers/net/wan/lmc/lmc_main.c/
1       |       /home/kash/linux/2.4.6/drivers/i2c/i2c-dev.c/
1       |       /home/kash/linux/2.4.6/drivers/char/drm/ioctl.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/i2c/i2c-dev.c/
1       |       /home/kash/linux/2.4.6/ipc/sem.c/
1       |       /home/kash/linux/2.4.6/drivers/char/tpqic02.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/media/video/bttv-driver.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/md/lvm.c/
1       |       /home/kash/linux/2.4.6/drivers/char/drm/i810_dma.c/
1       |       /home/kash/linux/2.4.6/drivers/block/loop.c/
1       |       /home/kash/linux/2.4.6/drivers/usb/ov511.c/
1       |       /home/kash/linux/2.4.6/drivers/cdrom/sbpcd.c/
1       |       /home/kash/linux/2.4.6/drivers/char/drm/r128_bufs.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/media/video/zr36120.c/
1       |       /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c/
1       |       /home/kash/linux/2.4.6/net/ipv6/netfilter/ip6_tables.c/
1       |       /home/kash/linux/2.4.6-ac2/net/ipv4/netfilter/ip_tables.c/
1       |       /home/kash/linux/2.4.6/drivers/usb/ibmcam.c/
1       |       /home/kash/linux/2.4.6/drivers/net/wan/sdla_fr.c/
1       |       /home/kash/linux/2.4.6-ac2/net/ipv6/netfilter/ip6_tables.c/
1       |       /home/kash/linux/2.4.6/drivers/char/drm/radeon_bufs.c/
1       |       /home/kash/linux/2.4.6/net/ipv4/netfilter/ip_tables.c/
1       |       /home/kash/linux/2.4.6-ac2/drivers/media/video/zr36067.c/

############################################################
# 2.4.6 specific errors
#
---------------------------------------------------------
[BUG] needs upper-bound check
/home/kash/linux/2.4.6/drivers/block/DAC960.c:5269:DAC960_UserIOCTL: ERROR:RANGE:5235:5269: Using user length "DataTransferLength" as argument to "kmalloc" [type=LOCAL MINOR] [state = need_ub] [linkages -> 5245:DataTransferLength=DataTransferLength -> 5245:UserCommand->DataTransferLength -> 5235:UserCommand:start] [distance=93]
        ProcessorFlags_T ProcessorFlags;
        int ControllerNumber, DataTransferLength;
        unsigned char *DataTransferBuffer = NULL;
        if (UserSpaceUserCommand == NULL) return -EINVAL;
        ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
Start --->
                                   sizeof(DAC960_V1_UserCommand_T));

        ... DELETED 28 lines ...

                != abs(DataTransferLength))
              return -EINVAL;
          }
        if (DataTransferLength > 0)
          {
Error --->
            DataTransferBuffer = kmalloc(DataTransferLength, GFP_KERNEL);
            if (DataTransferBuffer == NULL) return -ENOMEM;
            memset(DataTransferBuffer, 0, DataTransferLength);
          }
---------------------------------------------------------
[BUG] inlen is signed-- need lower bound check
/home/kash/linux/2.4.6/drivers/scsi/scsi_ioctl.c:266:scsi_ioctl_send_command: ERROR:RANGE:212:266: Using user length "inlen" as argument to "__copy_from_user" [type=LOCAL] [state = need_lb] set by '__get_user':212 [distance=107]
         * Verify that we can read at least this much.
         */
        if (verify_area(VERIFY_READ, sic, sizeof(Scsi_Ioctl_Command)))
                return -EFAULT;

Start --->
        __get_user(inlen, &sic->inlen);

        ... DELETED 48 lines ...

        __copy_from_user(cmd, cmd_in, cmdlen);

        /*
         * Obtain the data to be sent to the device (if any).
         */
Error --->
        __copy_from_user(buf, cmd_in + cmdlen, inlen);

        /*
         * Set the lun field to the correct value.
---------------------------------------------------------
[BUG] no lower bound check
/home/kash/linux/2.4.6/drivers/scsi/scsi_ioctl.c:323:scsi_ioctl_send_command: ERROR:RANGE:213:323: Using user length "outlen" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] set by '__get_user':213 [distance=127]
         */
        if (verify_area(VERIFY_READ, sic, sizeof(Scsi_Ioctl_Command)))
                return -EFAULT;

        __get_user(inlen, &sic->inlen);
Start --->
        __get_user(outlen, &sic->outlen);

        ... DELETED 104 lines ...

                sb_len = (sb_len > OMAX_SB_LEN) ? OMAX_SB_LEN : sb_len;
                if (copy_to_user(cmd_in, SRpnt->sr_sense_buffer, sb_len))
                        result = -EFAULT;
        } else {
Error --->
                if (copy_to_user(cmd_in, buf, outlen))
                        result = -EFAULT;
        }

---------------------------------------------------------
[BUG] no upper bound check
/home/kash/linux/2.4.6/drivers/block/DAC960.c:5374:DAC960_UserIOCTL: ERROR:RANGE:5235:5374: Using user length "DataTransferLength" as argument to "kmalloc" [type=LOCAL MINOR] [state = need_ub] [linkages -> 5371:DataTransferLength=DataTransferLength -> 5371:UserCommand->DataTransferLength -> 5235:UserCommand:start]
        ProcessorFlags_T ProcessorFlags;
        int ControllerNumber, DataTransferLength;
        unsigned char *DataTransferBuffer = NULL;
        if (UserSpaceUserCommand == NULL) return -EINVAL;
        ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
Start --->
                                   sizeof(DAC960_V1_UserCommand_T));

        ... DELETED 133 lines ...

        if (Controller == NULL) return -ENXIO;
        if (Controller->FirmwareType != DAC960_V2_Controller) return -EINVAL;
        DataTransferLength = UserCommand.DataTransferLength;
        if (DataTransferLength > 0)
          {
Error --->
            DataTransferBuffer = kmalloc(DataTransferLength, GFP_KERNEL);
            if (DataTransferBuffer == NULL) return -ENOMEM;
            memset(DataTransferBuffer, 0, DataTransferLength);
          }
---------------------------------------------------------
[BUG] no upper bound check
/home/kash/linux/2.4.6/drivers/block/DAC960.c:5390:DAC960_UserIOCTL: ERROR:RANGE:5235:5390: Using user length "RequestSenseLength" as argument to "kmalloc" [type=LOCAL MINOR] [state = need_ub] [linkages -> 5387:RequestSenseLength=RequestSenseLength -> 5387:UserCommand->RequestSenseLength -> 5235:UserCommand:start]
        ProcessorFlags_T ProcessorFlags;
        int ControllerNumber, DataTransferLength;
        unsigned char *DataTransferBuffer = NULL;
        if (UserSpaceUserCommand == NULL) return -EINVAL;
        ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
Start --->
                                   sizeof(DAC960_V1_UserCommand_T));

        ... DELETED 149 lines ...

            if (ErrorCode != 0) goto Failure2;
          }
        RequestSenseLength = UserCommand.RequestSenseLength;
        if (RequestSenseLength > 0)
          {
Error --->
            RequestSenseBuffer = kmalloc(RequestSenseLength, GFP_KERNEL);
            if (RequestSenseBuffer == NULL)
              {
                ErrorCode = -ENOMEM;
---------------------------------------------------------
[BUG] carefully chosen values for length could pass the tests to get to this call.
/home/kash/linux/2.4.6/drivers/scsi/megaraid.c:4032:megadev_ioctl: ERROR:RANGE:3825:4032: Using user length "length" as argument to "copy_to_user" [type=LOCAL] [state = tainted] set by 'copy_from_user':3901 [linkages -> 3901:fcs->length -> 3838:ui->fcs -> 3838:ioc->ui -> 3825:ioc:start] [distance=198]
        ret = verify_area (VERIFY_WRITE, (char *) arg, sizeof (struct uioctl_t));

        if (ret)
                return ret;

Start --->
        if(copy_from_user (&ioc, (char *) arg, sizeof (struct uioctl_t)))

        ... DELETED 201 lines ...

                IO_UNLOCK;

                down (&mimd_ioctl_sem);

                if (!scsicmd->result && outlen) {
Error --->
                        copy_to_user (uaddr, kphysaddr, ioc.ui.fcs.length);
                }

                /*
---------------------------------------------------------
[BUG] no check at all.
/home/kash/linux/2.4.6/drivers/usb/ibmcam.c:2664:ibmcam_ioctl: ERROR:RANGE:2658:2664: Using user length "frame" as an array index for "frame" [state = tainted] set by 'copy_from_user':2658 [distance=25]
                }
                case VIDIOCSYNC:
                {
                        int frame;

Start --->
                        if (copy_from_user((void *)&frame, arg, sizeof(int)))
                                return -EFAULT;

                        if (debug >= 1)
                                printk(KERN_DEBUG "ibmcam: syncing to frame %d\n", frame);

Error --->
                        switch (ibmcam->frame[frame].grabstate) {
                        case FRAME_UNUSED:
                                return -EINVAL;
                        case FRAME_READY:

############################################################
# 2.4.6ac2 specific errors

#
---------------------------------------------------------
[BUG] minor ...

read more »

 
 
 

52 probable security holes in 2.4.6 and 2.4.6-ac2

Post by Alan Co » Sun, 15 Jul 2001 21:10:06


Quote:> [BUG] Need a lower-bound check-- lo_encrypt_key_size is an int
> /home/kash/linux/2.4.6/drivers/block/loop.c:782:loop_set_status: ERROR:RANGE:757:782: Using user length "lo_encrypt_key_size" as argument to "memcpy" [type=LOCAL] [state = need_lb] set by 'copy_from_user':759 [linkages -> 759:info->lo_encrypt_key_size -> 757:info:start] [distance=110]
>    if (lo->lo_encrypt_key_size && lo->lo_key_owner != current->uid &&

This one looks like a tool error

        if ((unsigned int) info.lo_encrypt_key_size > LO_KEY_SIZE)

so the check is cast

In looking at the located ones I also found it missed a pile of related problems
it can check

There were a pile of

        item *p=kmalloc(sizeof(item)*num_items);
        if(p==NULL)
                error

        for(i=0;i<num_items;i++)
        {
                ..
        }

Where people rely on the kmalloc failing but forget that

        large value * sizeof(item) -> small value after overflow
        and the loop stomps all over kernel memory..

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

52 probable security holes in 2.4.6 and 2.4.6-ac2

Post by Philipp Matthias Hah » Tue, 17 Jul 2001 01:10:07


Hi Dag, Jean, LKML!


> These errors occur because user input (data from copy_from_user, get_user,
> etc.) is used without being checked in the following ways:
...
> 1  |       /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c/
...
> ---------------------------------------------------------
> [BUG] looks like it
> /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c:2064:irda_getsockopt: ERROR:RANGE:2063:2064: Using user length "(null)" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] [linkages -> 2063:len:start] [distance=3]
>                    sizeof(struct irda_device_info);

>            /* Copy the list itself */
>            total = offset + (list.len * sizeof(struct irda_device_info));
>            if (total > len)
> Start --->
>                    total = len;
> Error --->
>            if (copy_to_user(optval+offset, discoveries, total - offset))
>                    err = -EFAULT;

>            /* Write total number of bytes used back to client */
> ---------------------------------------------------------

Here's the pacth for review: The old check look's quiet bogus, because
optlen is a pointer.

The check was plain wrong.
--- /usr/src/linux-2.4.7/net/irda/af_irda.c~    Thu Jul 12 14:21:06 2001

        if (get_user(len, optlen))
                return -EFAULT;

-       if(optlen < 0)
+       if(len < 0)
                return -EINVAL;

        switch (optname) {

BYtE
Philipp
--
  / /  (_)__  __ ____  __ Philipp Hahn
 / /__/ / _ \/ // /\ \/ /

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

52 probable security holes in 2.4.6 and 2.4.6-ac2

Post by Jeff Hartman » Wed, 18 Jul 2001 01:00:16


Kenneth Michael Ashcraft wrote:

> [BUG] but mainly can make the kernel allocate unbounded amount of
>       memory and crash.
> /home/kash/linux/2.4.6/drivers/char/drm/ioctl.c:90:drm_setunique: ERROR:RANGE:82:90: Using user length "unique_len" as argument to "copy_from_user" [type=LOCAL] [state = tainted] [linkages -> 88:unique_len=unique_len -> 88:u->unique_len -> 82:u:start] [distance=25]
>    drm_unique_t     u;

>    if (dev->unique_len || dev->unique)
>            return -EBUSY;

> Start --->
>    if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
>            return -EFAULT;

>    if (!u.unique_len)
>            return -EINVAL;

>    dev->unique_len = u.unique_len;
>    dev->unique  = drm_alloc(u.unique_len + 1, DRM_MEM_DRIVER);
> Error --->
>    if (copy_from_user(dev->unique, u.unique, dev->unique_len))
>            return -EFAULT;
>    dev->unique[dev->unique_len] = '\0';

This is not a bug.  This is a root only ioctl called only during Xserver
initialization/recycle.  It can't be called anywhere else.

- Show quoted text -

> [BUG]  unchecked int [should print this out in the message]
> /home/kash/linux/2.4.6/drivers/char/drm/i810_dma.c:1419:i810_copybuf: ERROR:RANGE:1411:1419: Using user length "used" as argument to "copy_from_user" [type=LOCAL] [state = tainted] set by 'copy_from_user':1419 [linkages -> 1419:d->used -> 1411:d:start] [distance=46]
>    if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
>            DRM_ERROR("i810_dma called without lock held\n");
>            return -EINVAL;
>    }

> Start --->
>            if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
>            return -EFAULT;

>    if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
>    buf = dma->buflist[ d.idx ];
>            buf_priv = buf->dev_private;
>    if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;

> Error --->
>            if (copy_from_user(buf_priv->virtual, d.address, d.used))
>            return -EFAULT;

>            sarea_priv->last_dispatch = (int) hw_status[5];

I'll send in a patch for this one.  Its really a bug.

- Show quoted text -

> ---------------------------------------------------------
> [BUG] you could loop for a long time.
> /home/kash/linux/2.4.6/drivers/char/drm/mga_bufs.c:485:mga_freebufs: ERROR:RANGE:482:485: [LOOP] Looping on user length "count" set by 'copy_from_user':485 [linkages -> 485:request->count -> 482:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_free_t *)arg,
> Start --->
>                       sizeof(request)))
>            return -EFAULT;

> Error --->
>    for (i = 0; i < request.count; i++) {
>            if (copy_from_user(&idx,
>                               &request.list[i],
>                               sizeof(idx)))
> ---------------------------------------------------------
> [BUG]  you could loop for a long time.
> /home/kash/linux/2.4.6/drivers/char/drm/bufs.c:435:drm_freebufs: ERROR:RANGE:431:435: [LOOP] Looping on user length "count" set by 'copy_from_user':434 [linkages -> 434:request->count -> 431:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_free_t *)arg,
> Start --->
>                       sizeof(request)))
>            return -EFAULT;

>    DRM_DEBUG("%d\n", request.count);
> Error --->
>    for (i = 0; i < request.count; i++) {
>            if (copy_from_user(&idx,
>                               &request.list[i],
>                               sizeof(idx)))
> ---------------------------------------------------------
> [BUG] you could loop for a long time.
> /home/kash/linux/2.4.6/drivers/char/drm/i810_bufs.c:311:i810_freebufs: ERROR:RANGE:307:311: [LOOP] Looping on user length "count" set by 'copy_from_user':310 [linkages -> 310:request->count -> 307:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_free_t *)arg,
> Start --->
>                       sizeof(request)))
>            return -EFAULT;

>    DRM_DEBUG("%d\n", request.count);
> Error --->
>    for (i = 0; i < request.count; i++) {
>            if (copy_from_user(&idx,
>                               &request.list[i],
>                               sizeof(idx)))
> ---------------------------------------------------------

These are not bugs.  The maximum this loop can ever be is dma->buf_count.
drm_free_buffer will set the owner pid to zero, and if (buf->pid !=
current->pid) we exit the loop.

- Show quoted text -

> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/i810_bufs.c:104:i810_addbufs_agp: ERROR:RANGE:61:104: [LOOP] Looping on user length "count" [linkages -> 64:count=count -> 64:request->count -> 61:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_desc_t *)arg,
> Start --->
>                       sizeof(request)))

>    ... DELETED 37 lines ...

>    entry->buf_size   = size;
>    entry->page_order = page_order;
>    offset = 0;

> Error --->
>    while(entry->buf_count < count) {
>            buf = &entry->buflist[entry->buf_count];
>            buf->idx = dma->buf_count + entry->buf_count;
>            buf->total = alignment;
> ---------------------------------------------------------
> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/mga_bufs.c:115:mga_addbufs_agp: ERROR:RANGE:62:115: [LOOP] Looping on user length "count" [linkages -> 65:count=count -> 65:request->count -> 62:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_desc_t *)arg,
> Start --->
>                       sizeof(request)))

>    ... DELETED 47 lines ...

>    entry->buf_size   = size;
>    entry->page_order = page_order;
>    offset = 0;

> Error --->
>    while(entry->buf_count < count) {
>            buf = &entry->buflist[entry->buf_count];
>            buf->idx = dma->buf_count + entry->buf_count;
>            buf->total = alignment;
> ---------------------------------------------------------
> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/radeon_bufs.c:116:radeon_addbufs_agp: ERROR:RANGE:62:116: [LOOP] Looping on user length "count" [linkages -> 65:count=count -> 65:request->count -> 62:request:start]
>    int               byte_count;
>    int               i;

>    if (!dma) return -EINVAL;

> Start --->
>    if (copy_from_user(&request, (drm_buf_desc_t *)arg, sizeof(request)))

>    ... DELETED 48 lines ...

>    entry->buf_size   = size;
>    entry->page_order = page_order;
>    offset            = 0;

> Error --->
>    for (offset = 0;
>         entry->buf_count < count;
>         offset += alignment, ++entry->buf_count) {
>            buf          = &entry->buflist[entry->buf_count];
> ---------------------------------------------------------
> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/r128_bufs.c:119:r128_addbufs_agp: ERROR:RANGE:65:119: [LOOP] Looping on user length "count" [linkages -> 68:count=count -> 68:request->count -> 65:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_desc_t *)arg,
> Start --->
>                       sizeof(request)))

>    ... DELETED 48 lines ...

>    entry->buf_size   = size;
>    entry->page_order = page_order;
>    offset            = 0;

> Error --->
>    for (offset = 0;
>         entry->buf_count < count;
>         offset += alignment, ++entry->buf_count) {
>            buf          = &entry->buflist[entry->buf_count];
> ---------------------------------------------------------
> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/mga_bufs.c:287:mga_addbufs_pci: ERROR:RANGE:220:287: [LOOP] Looping on user length "count" [linkages -> 223:count=count -> 223:request->count -> 220:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_desc_t *)arg,
> Start --->
>                       sizeof(request)))

>    ... DELETED 61 lines ...

>    entry->buf_size        = size;
>    entry->page_order = page_order;
>    byte_count        = 0;
>    page_count        = 0;
> Error --->
>    while (entry->buf_count < count) {
>            if (!(page = drm_alloc_pages(page_order, DRM_MEM_DMA))) break;
>            entry->seglist[entry->seg_count++] = page;
>            for (i = 0; i < (1 << page_order); i++) {
> ---------------------------------------------------------
> [BUG] no direct check on count
> /home/kash/linux/2.4.6/drivers/char/drm/bufs.c:239:drm_addbufs: ERROR:RANGE:172:239: [LOOP] Looping on user length "count" [linkages -> 175:count=count -> 175:request->count -> 172:request:start]

>    if (!dma) return -EINVAL;

>    if (copy_from_user(&request,
>                       (drm_buf_desc_t *)arg,
> Start --->
>                       sizeof(request)))

>    ... DELETED 61 lines ...

>    entry->buf_size        = size;
>    entry->page_order = page_order;
>    byte_count        = 0;
>    page_count        = 0;
> Error --->
>    while (entry->buf_count < count) {
>            if (!(page = drm_alloc_pages(page_order, DRM_MEM_DMA))) break;
>            entry->seglist[entry->seg_count++] = page;
>            for (i = 0; i < (1 << page_order); i++) {
> ---------------------------------------------------------

These are not bugs, they are root only ioctl's.

-Jeff

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

52 probable security holes in 2.4.6 and 2.4.6-ac2

Post by Andreas Dilge » Wed, 18 Jul 2001 03:30:10


Jeff Hartmann write:


> > [BUG] but mainly can make the kernel allocate unbounded amount of
> >       memory and crash.
> This is not a bug.  This is a root only ioctl called only during Xserver
> initialization/recycle.  It can't be called anywhere else.

So you're saying that root is perfectly secure, and that the Xserver never
has any bugs in it? ;-)

Cheers, Andreas
--
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/