Re: 2.4.23: user/kernel pointer bugs (drivers/char/vt.c, drivers/char/drm/gamma_dma.c)

From: Marcelo Tosatti (marcelo.tosatti_at_cyclades.com)
Date: 01/10/04

  • Next message: Jesper Juhl: "Re: [PATCH] First patch to improve ELF sanity checks" 
    Date:	Sat, 10 Jan 2004 15:46:38 -0200 (BRST)
To: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>

    On Thu, 8 Jan 2004, Robert T. Johnson wrote:

    > Both of these bugs look exploitable. The vt.c patch is
    > self-explanatory.
    >
    > Thanks for looking at this, and let me know if you have any questions.
    >
    > Best,
    > Rob
    >
    > P.S. Both of these bugs were found using the source code verification
    > tool, CQual, developed by Jeff Foster, myself, and others, and available
    > from http://www.cs.umd.edu/~jfoster/cqual/.
    >
    >
    > --- drivers/char/vt.c.orig Thu Jan 8 10:53:01 2004
    > +++ drivers/char/vt.c Wed Jan 7 15:22:17 2004
    > @@ -288,7 +288,7 @@
    > case KDGKBSENT:
    > sz = sizeof(tmp.kb_string) - 1; /* sz should have been
    > a struct member */
    > - q = user_kdgkb->kb_string;
    > + q = tmp.kb_string;
    > p = func_table[i];
    > if(p)
    > for ( ; *p && sz; p++, sz--)

    The "q" variable is only used as an argument to put_user() (the kernel is
    not reading from that address), so I think it is not a problem.

    I think your patch will break the ioctl.

    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Jesper Juhl: "Re: [PATCH] First patch to improve ELF sanity checks"

    Relevant Pages