Re: [CHECKER] 15 probable security holes in 2.4.5-ac8

From:	 Alan Cox <alan@lxorguk.ukuu.org.uk>
To:	 engler@csl.Stanford.EDU (Dawson Engler)
Subject: Re: [CHECKER] 15 probable security holes in 2.4.5-ac8
Date:	 Fri, 8 Jun 2001 22:58:11 +0100 (BST)
Cc:	 linux-kernel@vger.kernel.org, mc@cs.Stanford.EDU

> [BUG]  dataxferlen is never checked.
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/scsi/megaraid.c:4108:megadev_ioctl: ERROR:RANGE:3825:4108: Using user length "dataxferlen" as argument to "copy_from_user" [type=LOCAL] [state = any_check] set by 'copy_from_user':3825 [val=28300]

Yep. Fixed - privileged ioctl fortunately

> static int moxaload320b(int cardno, unsigned char * tmp, int len)
> {
>         unsigned long baseAddr;
>         int i;

Fixed - privileged anyway

> ---------------------------------------------------------
> [BUG]  d.idx is an int: < 0 = bad news.
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/char/drm/i810_dma.c:1413:i810_copybuf: ERROR:RANGE:1409:1413: Using user length "idx"as an array index for "buflist" set by 'copy_from_user':1409 [val=400]
> 	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
> 		DRM_ERROR("i810_dma called without lock held\n");

Fixed - nasty

> [BUG]  ouch.  (routine also uses it as an index)
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/usb/se401.c:1290:se401_ioctl: ERROR:RANGE:1286:1290: Using user length "frame"as an array index for "frame" set by 'copy_from_user':1286 [val=400]

Uggh..

> [BUG]  ouch x 2: no check either way.
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/char/drm/mga_state.c:835:mga_iload: ERROR:RANGE:827:835: Using user length "idx"as an array index for "buflist" set by 'copy_from_user':827 [val=800]

Nasty - left for the X folks to fix

> [BUG] (but i'm not sure whey we're missing the initial irq).
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/net/hamradio/scc.c:1772:scc_net_ioctl: ERROR:RANGE:1762:1772: Using user length "irq"as an array index for "Ivec" set by 'copy_from_user':1762 [val=1000]
> 			if (!arg) return -EFAULT;

Thats a real bug for other reaosns. the iRQ might be > 16 on APIC using hosts
or non x86

Both fixed

> [BUG]  usbvideo_GetFrame can fail, but result is not checked before index.
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/usb/usbvideo.c:1596:usbvideo_v4l_ioctl: ERROR:RANGE:1572:1596: Using user length "frameNum"as an array index for "frame" set by 'copy_from_user':1572 [val=2400]
> 		}

Fixed

> ---------------------------------------------------------
> [BUG] pretty sure, though the code is convoluted.
> /u2/engler/mc/oses/linux/2.4.5-ac8/drivers/media/video/zr36067.c:3505:do_zoran_ioctl: ERROR:RANGE:3435:3505: Using user length "norm"as an array index for "cardnorms" [val=7000]

Done

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/