Re: [CHECKER] Probable Security Errors in 2.4.12-ac3

Jens Axboe (axboe@suse.de)
Tue, 23 Oct 2001 09:32:30 +0200


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Oct 20 2001, Ken Ashcraft wrote:
> ---------------------------------------------------------
> [BUG] needs upper bound
> /home/kash/linux/2.4.12/drivers/cdrom/cdrom.c:2019:mmc_ioctl: ERROR:RANGE:2012:2019: [LOOP] Looping on user length "nr" set by 'copy_from_user':2018 [linkages -> 2018:nr=nframes -> 2012:ra:start] [distance=26]
> lba = ra.addr.lba;
> else
> return -EINVAL;
>
> /* FIXME: we need upper bound checking, too!! */
> Start --->
> if (lba < 0 || ra.nframes <= 0)
> return -EINVAL;
>
> /*
> * start with will ra.nframes size, back down if alloc fails
> */
> nr = ra.nframes;
> Error --->
> do {
> cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
> if (cgc.buffer)
> break;

Here's a fix for that. Linus, please apply.

-- 
Jens Axboe

--J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=cd-cdda-1

--- drivers/cdrom/cdrom.c~ Tue Oct 23 09:28:35 2001 +++ drivers/cdrom/cdrom.c Tue Oct 23 09:29:23 2001 @@ -2009,7 +2009,7 @@ return -EINVAL; /* FIXME: we need upper bound checking, too!! */ - if (lba < 0 || ra.nframes <= 0) + if (lba < 0 || ra.nframes <= 0 || ra.nframes > 64) return -EINVAL; /*

--J2SCkAp4GZ/dPZZf-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/