[CHECKER] pcmcia user-pointer dereference

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: David S. Miller: "Re: [patch] cache flush bug in mm/filemap.c (all kernels >="
• Previous message: Jeff Garzik: "[BK PATCHES] net driver merges"
• Next in thread: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: David Wagner: "Re: [CHECKER] pcmcia user-pointer dereference"

I contacted David Hinds about this; the behavior is by design. User
space passes in a pointer to a kernel data structure, and the kernel
verifies it by checking a magic number in that structure.

It seems possible to perform some activity from user space to get the
magic number into (any) kernel memory, then iterate over kernel space
by passing pointers to the pcmcia ds_ioctl() until you manage to
corrupt something. But I'm not really a security guy...

-- 
Hollis Blanchard
IBM Linux Technology Center

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Next message: David S. Miller: "Re: [patch] cache flush bug in mm/filemap.c (all kernels >="
• Previous message: Jeff Garzik: "[BK PATCHES] net driver merges"
• Next in thread: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: David Hinds: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"
• Reply: David Wagner: "Re: [CHECKER] pcmcia user-pointer dereference"