Re: [CHECKER] 2.4.5-ac4 security holes

Alan Cox (alan@lxorguk.ukuu.org.uk)
Fri, 1 Jun 2001 08:42:20 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeff Garzik: "Re: [PATCH] support for Cobalt Networks (x86 only) systems (for real"
Previous message: Jeff Garzik: "Re: [PATCH] support for Cobalt Networks (x86 only) systems (for real"
In reply to: Dawson Engler: "[CHECKER] 2.4.5-ac4 security holes"

> [BUG] looks really broken.
> /u2/engler/mc/oses/linux/2.4.5-ac4/fs/ioctl.c:108:sys_ioctl: ERROR:PARAM:70:108: Deref tainted var 'arg' (tainted from line 70)

Been meaning to dump that anyway so that was solved by the delete approach
- real bug

> [BUG] sure seems like it. In general, all 4 dereferences seem pretty bad.
> /u2/engler/mc/oses/linux/2.4.5-ac4/drivers/net/wan/cosa.c:1049:cosa_download: ERROR:PARAM:1046:1049: Deref tainted var 'd' (tainted from line 1046)
> return -EPERM;

Fixed .. only available to root anyway

> /u2/engler/mc/oses/linux/2.4.5-ac4/drivers/net/wan/cosa.c:1057:cosa_download: ERROR:PARAM:1046:1057: Deref tainted var 'd' (tainted from line 1046)
> return -EPERM;
> }
>
Ditto

> switch (cmd) {
> case SNDCTL_SYNTH_INFO:
> memcpy (&((char *) arg)[0], &wavefront_info,

Fixed

> [BUG] [RESURRECTED] Should be fixed in ac5, though.
> /u2/engler/mc/oses/linux/2.4.5-ac4/drivers/isdn/eicon/linchr.c:128:do_ioctl: ERROR:PARAM:60:128: tainted var 'arg' (from line 60) used as arg 0 to 'DivasGetList'

Done (wasnt fixed in ac5)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: [PATCH] support for Cobalt Networks (x86 only) systems (for real"
Previous message: Jeff Garzik: "Re: [PATCH] support for Cobalt Networks (x86 only) systems (for real"
In reply to: Dawson Engler: "[CHECKER] 2.4.5-ac4 security holes"