Not so theoretical race in atkbd_command

From: Pavel Machek
Date: Mon Apr 26 2004 - 16:37:10 EST

Next message: Sistema Antivirus: "virus encontrado en el mensaje enviado "Re: Here""
Previous message: publishing: "The Canadian Subsidy Directory 2004"
Next in thread: Pavel Machek: "Re: Not so theoretical race in atkbd_command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

There's quite real race in atkbd_command:

static int atkbd_command(struct atkbd *atkbd, unsigned char *param,
int command)
{
int timeout = 500000; /* 500 msec */
int send = (command >> 12) & 0xf;
int receive = (command >> 8) & 0xf;
int i;

atkbd->cmdcnt = receive;
[user presses key here]

atkbd_interrupt eats user keypress, thinking its reply. Boom. To
exploit:

while true; do setleds +num; setleds -num; done

then try typing.
Pavel
--
934a471f20d6580d5aad759bf0d97ddc
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sistema Antivirus: "virus encontrado en el mensaje enviado "Re: Here""
Previous message: publishing: "The Canadian Subsidy Directory 2004"
Next in thread: Pavel Machek: "Re: Not so theoretical race in atkbd_command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]