[LWN Logo]
[LWN.net]
From:	 Alan Cox <alan@lxorguk.ukuu.org.uk>
To:	 engler@csl.Stanford.EDU (Dawson Engler)
Subject: Re: [CHECKER] user-pointer bugs in 2.4.4 and 2.4.4-ac8
Date:	 Mon, 28 May 2001 00:45:38 +0100 (BST)
Cc:	 linux-kernel@vger.kernel.org, mc@cs.Stanford.EDU

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:64:do_ioctl: ERROR:PARAM:62:64: tainted var 'pDivaConfig' (from line 62) used as arg 0 to 'DivasCardConfig'
> 	switch (command)

Yep - fixed

> [BUG]supposed to at least be bad form.
> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:186:do_ioctl: ERROR:PARAM:184:186: tainted var 'mem_block' (from line 184) used as arg 0 to 'DivasGetMem'
> 			return 0;

Yep - fixed

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:131:do_ioctl: ERROR:PARAM:129:131: tainted var 'pDivaLog' (from line 129) used as arg 0 to 'DivasLog'

Yep - fixed

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:172:do_ioctl: ERROR:PARAM:142:172: tainted var 'arg' (from line 142) used as arg 0 to 'DivasGetList'

Yep.

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:268:ipddp_ioctl: ERROR:PARAM:268:268: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_find_route'
>         {

Ok fixed

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/isdn/eicon/linchr.c:97:do_ioctl: ERROR:PARAM:95:97: Deref tainted var 'pDivaStart' (tainted from line 95)

Real - fixed

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:265:ipddp_ioctl: ERROR:PARAM:268:265: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_create'

Fixed

> /u2/engler/mc/oses/linux/2.4.4-ac8/drivers/net/appletalk/ipddp.c:273:ipddp_ioctl: ERROR:PARAM:268:273: tainted var 'rt' (from line 268) used as arg 0 to 'ipddp_delete'

Fixed

>                 case SIOCFINDIPDDPRT:
> Start --->
>                         if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route)))
>                                 return -EFAULT;

Fixed

> [BUG]  seems pretty confused.
> /u2/engler/mc/oses/linux/2.4.4-ac8/net/decnet/af_decnet.c:1491:__dn_getsockopt: ERROR:PARAM:1438:1491: Deref tainted var 'optlen' (tainted from line 1438)
> 	struct linkinfo_dn link;
> 	unsigned int r_len;

Fixed

> 	case PHONE_CAPABILITIES_CHECK:
> Error --->
> 		retval = capabilities_check(j, (struct phone_capability *) arg);
> 		break;

Fixed

All look valid to me

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/