another potential security bug

William Ie (wie@CS.Stanford.EDU)
Thu, 10 May 2001 12:13:26 -0700 (PDT)


Hi, my name is William Ie and I am currently working under Dawson Engler's
mc project here in the Stanford CS dept. We are currently trying to
develop security related bug-checkers, particularly regarding the
capability checks done in the linux kernel. While going through the
results of our prototype checker, we run into the following anomaly and
thus was wondering if this is merely a false positive. Thank you very much
for your input.

linux/2.4.3/drivers/net/pcmcia/netwave_cs.c
case SIOCGIWENCODE:
/* Get scramble key */
ERROR<- if(wrq->u.encoding.pointer != (caddr_t) 0)
{
char key[2];
key[1] = scramble_key & 0xff;
key[0] = (scramble_key>>8) & 0xff;
wrq->u.encoding.flags = IW_ENCODE_ENABLED;
wrq->u.encoding.length = 2;
if(copy_to_user(wrq->u.encoding.pointer, key, 2))
ret = -EFAULT;
}
break;

handling the same command with CAP_NET_ADMIN capability checks are done
in:
drivers/net/wavelan.c
drivers/net/pcmcia/orinoco_cs.c
drivers/net/pcmcia/wavelan_cs.c

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/