Re: [CHECKER] pcmcia user-pointer dereference

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: John Stoffel: "Re: 2.5.70-mm2"
• Previous message: Adrian Bunk: "2.5.70-mm2: NCR53C9x.c doesn't compile"
• In reply to: Hollis Blanchard: "[CHECKER] pcmcia user-pointer dereference"
• Next in thread: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"

This ioctl just returns the contents of another field of that same
data structure that contains the magic number. So, a malicious user
could, if they were able to cause another kernel data structure to
contain that magic number and they knew the address of that data
structure, use this ioctl to read out the contents of an adjacent
field that might not have otherwise been user-accessable. You could
not corrupt anything with this ioctl.

The kernel pointer could be done away with, by instead using an
integer to represent the position in a linked list of the target data
structure, which would be the best fix, if someone wants to code it.

- Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Next message: John Stoffel: "Re: 2.5.70-mm2"
• Previous message: Adrian Bunk: "2.5.70-mm2: NCR53C9x.c doesn't compile"
• In reply to: Hollis Blanchard: "[CHECKER] pcmcia user-pointer dereference"
• Next in thread: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"