Enclosed is a potential security hole in 2.4.5-ac where an integer from
user space is used as a length argument to copy_to_user.
Additionally, do people have suggestions for good security rules?
We're looking to expand our security checkers. Right now we just have
checkers that warn when:
1. user pointers are dereferenced
2. an integer from user space is used as a length argument to
copy*user or as an array index. (this is getting extended
to include data from network packets)
3. user input can trigger a known bug (e.g., the failed release of
a lock, or a copy_*_user call with interrupts disabled).
more preliminary:
(4) a checker that derives when you're supposed to
do an capable? call and warns when you don't.
(5) checkers to find typical format string bugs.
I'm sure there are a huge set of security holes that are not covered by
these sorts of checks, so if anyone has suggestions, please let us know.
Dawson
PS Someone from world.std.com (I believe) sent a nice rule yesterday,
but I accidently deleted the message --- could you please resend?
[BUG]
/u2/engler/mc/oses/linux/2.4.5-ac4/drivers/char/random.c:1813:uuid_strategy: ERROR:RANGE:1809:1813: Using user length "len" as argument to "copy_to_user" [type=LOCAL] set by 'get_user':1813
uuid[8] = 0;
}
if (uuid[8] == 0)
generate_random_uuid(uuid);
Start --->
get_user(len, oldlenp);
if (len) {
if (len > 16)
len = 16;
Error --->
if (copy_to_user(oldval, table->data, len))
return -EFAULT;
if (put_user(len, oldlenp))
return -EFAULT;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/