Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S265415AbUAJVa1 (ORCPT ); Sat, 10 Jan 2004 16:30:27 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S265422AbUAJVa0 (ORCPT ); Sat, 10 Jan 2004 16:30:26 -0500 Received: from relay2.EECS.Berkeley.EDU ([169.229.60.28]:45219 "EHLO relay2.EECS.Berkeley.EDU") by vger.kernel.org with ESMTP id S265415AbUAJVaT (ORCPT ); Sat, 10 Jan 2004 16:30:19 -0500 Subject: Re: 2.4.23: user/kernel pointer bugs (drivers/char/vt.c, drivers/char/drm/gamma_dma.c) From: "Robert T. Johnson" To: Marcelo Tosatti Cc: Linux Kernel , Alan Cox FCC: imap://rtjohnso@imap.cs.berkeley.edu/Sent X-Identity-Key: id1 X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031105 Thunderbird/0.3 X-Accept-Language: en-us, en References: <1073592494.18588.77.camel@dooby.cs.berkeley.edu> In-Reply-To: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.5 Date: 10 Jan 2004 13:30:16 -0800 Message-Id: <1073770216.22193.79.camel@dooby.cs.berkeley.edu> Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1592 Lines: 48 Marcelo Tosatti wrote: On Thu, 8 Jan 2004, Robert T. Johnson wrote: Both of these bugs look exploitable. The vt.c patch is self-explanatory. Thanks for looking at this, and let me know if you have any questions. Best, Rob P.S. Both of these bugs were found using the source code verification tool, CQual, developed by Jeff Foster, myself, and others, and available from http://www.cs.umd.edu/~jfoster/cqual/. --- drivers/char/vt.c.orig Thu Jan 8 10:53:01 2004 +++ drivers/char/vt.c Wed Jan 7 15:22:17 2004 @@ -288,7 +288,7 @@ case KDGKBSENT: sz = sizeof(tmp.kb_string) - 1; /* sz should have been a struct member */ - q = user_kdgkb->kb_string; + q = tmp.kb_string; p = func_table[i]; if(p) for ( ; *p && sz; p++, sz--) The "q" variable is only used as an argument to put_user() (the kernel is not reading from that address), so I think it is not a problem. I think your patch will break the ioctl. Whoops. I thought user_kdgkb->kb_string was a pointer, not an array. You're absolutely right. Please ignore this patch. I'm very sorry for the mistake. Best, Rob - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/