Re: [CHECKER] pcmcia user-pointer dereference

Hollis Blanchard (hollisb@us.ibm.com)
Thu, 29 May 2003 16:30:54 -0500


On Thursday, May 29, 2003, at 16:22 US/Central, David Hinds wrote:

> On Thu, May 29, 2003 at 04:11:19PM -0500, Hollis Blanchard wrote:
>>
>> I contacted David Hinds about this; the behavior is by design. User
>> space passes in a pointer to a kernel data structure, and the kernel
>> verifies it by checking a magic number in that structure.
>>
>> It seems possible to perform some activity from user space to get the
>> magic number into (any) kernel memory, then iterate over kernel space
>> by passing pointers to the pcmcia ds_ioctl() until you manage to
>> corrupt something. But I'm not really a security guy...
>
> This ioctl just returns the contents of another field of that same
> data structure that contains the magic number. So, a malicious user
> could, if they were able to cause another kernel data structure to
> contain that magic number and they knew the address of that data
> structure, use this ioctl to read out the contents of an adjacent
> field that might not have otherwise been user-accessable. You could
> not corrupt anything with this ioctl.

That's true for pcmcia_get_mem_page. However pcmcia_map_mem_page writes
into the structure it verifies. I think pcmcia_get_first/next_window
could also be used to corrupt memory (*handle = win in
pcmcia_get_window).

> The kernel pointer could be done away with, by instead using an
> integer to represent the position in a linked list of the target data
> structure, which would be the best fix, if someone wants to code it.

That does sound like a better idea. :)

-- 
Hollis Blanchard
IBM Linux Technology Center

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/