> Sailesh Krishmurthy and I have found what we believe is an exploitable
> bug in drivers/input/joydev.c:joydev_ioctl(). It looks like the
> JSIOCSAXMAP and JSIOCSBTNMAP cases accidentally reverse the arguments to
> copy_from_user(). A user program could call these ioctls with a
> maliciously chosen arg to crash the system or gain root access. A patch
> is attached to this message (though my mailer will probably mangle it --
> sorry). We apologize if we have misunderstood the behavior of this
> function.
Thanks for this report, this was found and fixed already.
>
> We found this bug using the static analysis tool cqual,
> http://www.cs.berkeley.edu/~jfoster/cqual/, developed at UC Berkeley by
> Jeff Foster, John Kodumal, and many others.
>
> Please CC us in any replies.
>
> Thanks for all your great work on the kernel.
>
> Best,
> Rob Johnson (rtjohnso@cs.berkeley.edu)
> Sailesh Krishnamurthy (sailesh@cs.berkeley.edu)
>
>
>
> --- joydev.c Wed May 15 10:25:26 2002
> +++ joydev_fixed.c Wed May 15 10:37:36 2002
> @@ -363,7 +363,7 @@
> return copy_to_user((struct js_corr *) arg,
> joydev->corr,
> sizeof(struct js_corr) *
> joydev->nabs) ? -EFAULT : 0;
> case JSIOCSAXMAP:
> - if (copy_from_user((__u8 *) arg, joydev->abspam,
> sizeof(__u8) *
> ABS_MAX))
> + if (copy_from_user(joydev->abspam, (__u8 *) arg,
> sizeof(__u8) *
> ABS_MAX))
> return -EFAULT;
> for (i = 0; i < ABS_MAX; i++) {
> if (joydev->abspam[i] > ABS_MAX) return
> -EINVAL;
> @@ -374,7 +374,7 @@
> return copy_to_user((__u8 *) arg,
> joydev->abspam,
> sizeof(__u8) * ABS_MAX)
> ? -EFAULT : 0;
> case JSIOCSBTNMAP:
> - if (copy_from_user((__u16 *) arg,
> joydev->absmap, sizeof(__u16) *
> (KEY_MAX - BTN_MISC)))
> + if (copy_from_user(joydev->absmap, (__u16 *)
> arg, sizeof(__u16) *
> (KEY_MAX - BTN_MISC)))
> return -EFAULT;
> for (i = 0; i < KEY_MAX - BTN_MISC; i++); {
> if (joydev->keypam[i] > KEY_MAX ||
> joydev->keypam[i] < BTN_MISC)
> return -EINVAL;
>
-- Vojtech Pavlik SuSE Labs - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/