Re: [CHECKER] Probable Security Errors in 2.4.12-ac3

Manfred Spraul (manfred@colorfullife.com)
Sun, 21 Oct 2001 10:08:29 +0200


From: "Ken Ashcraft" <kash@stanford.edu>
> [BUG] minor, loops on len
> /home/kash/linux/2.4.12/ipc/msg.c:788:sys_msgrcv: ERROR:RANGE:756:788: Using user length "msgsz" as argument to "store_msg"
[type=GLOBAL] [state = need_ub] set by 'user-originated parameter':756 [distance=81]
>
> ss_wakeup(&msq->q_senders,0);
> msg_unlock(msqid);
> out_success:
> msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz;
> if (put_user (msg->m_type, &msgp->mtype) ||
> Error --->
> store_msg(msgp->mtext, msg, msgsz)) {
> msgsz = -EFAULT;
> }
> free_msg(msg);

That's not a bug:
* msgsz is limited to msg->m_ts (2 lines above store_msg)
* msg->m_ts is set by sys_msgsnd to msgsz, and that function rejects messages longer than msg_ctlmax.

--
    Manfred

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/