--=_courier-9376-1054587929-0001-2
Content-Type: text/plain; delsp=yes; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
The Stanford checker said:
---------------------------------------------------------
[BUG] pass kernel pointer into copy_*_user. bug is in VIDIOCGTUNER.
Should
not call copy_to_user on arg since arg is already in kernel space.
/home/junfeng/linux-2.5.63/drivers/media/radio/radio-
cadet.c:397:cadet_do_ioctl:
ERROR:TAINTED:397:397: dereferencing tainted ptr 'v' [Callstack: ]
{
case VIDIOCGCAP:
{
struct video_capability *v = arg;
memset(v,0,sizeof(*v));
Error --->
v->type=VID_TYPE_TUNER;
v->channels=2;
v->audios=1;
strcpy(v->name, "ADS Cadet");
---------------------------------------------------------
As pointed out, 'v' is not tainted. The driver shouldn't be using
copy_to_user() in cadet_do_ioctl() at all: cadet_do_ioctl() is being
called by drivers/media/video/videodev.c:video_usercopy(), which has
already copied the buffer 'arg' (aka 'v') into kernel space, and will
copy it back after cadet_do_ioctl() returns. So all the direct 'v'
accesses are correct.
-- Hollis Blanchard IBM Linux Technology Center
--=_courier-9376-1054587929-0001-2 Content-Type: text/plain; x-unix-mode=0644; name="cadetradio-badcopy.txt"; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=cadetradio-badcopy.txt
===== drivers/media/radio/radio-cadet.c 1.13 vs edited ===== --- 1.13/drivers/media/radio/radio-cadet.c Fri Apr 4 11:34:37 2003 +++ edited/drivers/media/radio/radio-cadet.c Wed May 28 17:36:32 2003 @@ -389,9 +389,6 @@ v->flags|=VIDEO_TUNER_STEREO_ON; } v->flags|=cadet_getrds(); - if(copy_to_user(arg,&v, sizeof(v))) { - return -EFAULT; - } break; case 1: strcpy(v->name,"AM"); @@ -402,9 +399,6 @@ v->mode=0; v->mode|=VIDEO_MODE_AUTO; v->signal=sigstrength; - if(copy_to_user(arg,&v, sizeof(v))) { - return -EFAULT; - } break; } return 0;
--=_courier-9376-1054587929-0001-2--