The Stanford checker said:
---------------------------------------------------------
[BUG] pass kernel pointer into copy_*_user. bug is in VIDIOCGTUNER.
Should
not call copy_to_user on arg since arg is already in kernel space.
/home/junfeng/linux-2.5.63/drivers/media/radio/radio-
cadet.c:397:cadet_do_ioctl:
ERROR:TAINTED:397:397: dereferencing tainted ptr 'v' [Callstack: ]
{
case VIDIOCGCAP:
{
struct video_capability *v = arg;
memset(v,0,sizeof(*v));
Error --->
v->type=VID_TYPE_TUNER;
v->channels=2;
v->audios=1;
strcpy(v->name, "ADS Cadet");
---------------------------------------------------------
As pointed out, 'v' is not tainted. The driver shouldn't be using
copy_to_user() in cadet_do_ioctl() at all: cadet_do_ioctl() is being
called by drivers/media/video/videodev.c:video_usercopy(), which has
already copied the buffer 'arg' (aka 'v') into kernel space, and will
copy it back after cadet_do_ioctl() returns. So all the direct 'v'
accesses are correct.
--
Hollis Blanchard
IBM Linux Technology Center