[CHECKER] 3 potential user-pointer errors in drivers/usb/serial that can print out arbitrary kernel data

From: Junfeng Yang (yjf@stanford.edu)
Date: Mon Apr 28 2003 - 01:43:56 EST

Hi,

I classfied the errors in my previous report. Here are 3 errors that allow
a malicious user to print out arbitrary kernel data. (the 4th error is at
least bad programming practice.)

All of them are in usb/serial.

Any replies will be appreciated.

---------------------------------------------------------
[BUG] buf is tainted. can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/empeg.c:225:empeg_write:
ERROR:TAINTED:225:225: passing tainted ptr 'buf' to usb_serial_debug_data
[Callstack:
/home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:empeg_write((tainted
2))]

        int bytes_sent = 0;
        int transfer_size;

        dbg("%s - port %d", __FUNCTION__, port->number);

Error --->
        usb_serial_debug_data (__FILE__, __FUNCTION__, count, buf);

        while (count > 0) {

---------------------------------------------------------
[BUG] can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/ipaq.c:371:ipaq_write:
ERROR:TAINTED:371:371: passing tainted ptr 'buf' to usb_serial_debug_data
[Callstack:
/home/junfeng/linux-tainted/drivers/usb/serial/safe_serial.c:327:ipaq_write((tainted
2))]

        int bytes_sent = 0;
        int transfer_size;

        dbg("%s - port %d", __FUNCTION__, port->number);

Error --->
        usb_serial_debug_data(__FILE__, __FUNCTION__, count, buf);

        while (count > 0) {
                transfer_size = min(count, PACKET_SIZE);
---------------------------------------------------------
[BUG] can print out arbitrary kernel data if debug is on
/home/junfeng/linux-tainted/drivers/usb/serial/keyspan.c:328:keyspan_write:
ERROR:TAINTED:328:328: dereferencing tainted ptr 'buf' [Callstack: ]

        p_priv = usb_get_serial_port_data(port);
        d_details = p_priv->device_details;

        dbg("%s - for port %d (%d chars [%x]), flip=%d",

Error --->
            __FUNCTION__, port->number, count, buf[0], p_priv->out_flip);

        for (left = count; left > 0; left -= todo) {
                todo = left;

---------------------------------------------------------
[BUG] at least bad programming practice. call usb_serial_debug_data on
tainted pointer data. it is verified by previous call to copy_*_user.

/home/junfeng/linux-tainted/drivers/usb/serial/io_edgeport.c:1381:edge_write:
ERROR:TAINTED:1381:1381: passing tainted ptr 'data' to
usb_serial_debug_data [Callstack: ]

                fifo->head += secondhalf;
                // No need to check for wrap since we can not get to end
of fifo in this part
        }

        if (copySize) {

Error --->
                usb_serial_debug_data (__FILE__, __FUNCTION__, copySize,
data);
        }

        send_more_port_data((struct edgeport_serial
*)usb_get_serial_data(port->serial), edge_port);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Wed Apr 30 2003 - 22:00:28 EST