Re: [CHECKER] Probable security holes in 2.6.5

From: Chris Wright
Date: Mon Apr 19 2004 - 15:39:49 EST

> [BUG] minor
> /home/kash/linux/linux-2.6.5/drivers/md/dm-ioctl.c:1180:copy_params:
> ERROR:TAINT: 1174:1180:Passing unbounded user value "(tmp).data_size" as
> arg 0 to function "vmalloc", which uses it unsafely in model
> [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
> [SINK_MODEL=(lib,vmalloc,user,trustingsink)] [BOUNDS= Lower bound on
> line 1177] [MINOR] [PATH=]
> static int copy_params(struct dm_ioctl *user, struct dm_ioctl **param)
> {
> struct dm_ioctl tmp, *dmi;
> Start --->
> if (copy_from_user(&tmp, user, sizeof(tmp)))
> return -EFAULT;
> if (tmp.data_size < sizeof(tmp))
> return -EINVAL;
> Error --->
> dmi = (struct dm_ioctl *) vmalloc(tmp.data_size);
> if (!dmi)
> return -ENOMEM;

Looks like dm_ioctl() has a free form untyped buffer at the end of the
dm_ioctl struct, which makes it rough to figure the appropriate max for
data_size, esp, those that can be a list. It's protected by capable(),
not clear if there's a good fix, and I don't see an overflow just a way
to vmalloc() a large bit of memory. Perhaps there's a case where one
could rename to a name larger than DM_NAME_LEN, then no longer be able to
lookup based on ->name (only ->uuid).

Linux Security Modules
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at