On Jan 14 2007 15:58, Suhabe Bugrara wrote:
>
> In linux-2.6.19.2, do the following lines have bugs in them? It looks
> like they dereference a user pointer without first being checked by
> the "access_ok" macro to ensure that they point into userspace.
>
> Suhabe
>
> ========================
> File: sound/isa/sscape.c
> Lines: 550, 665
> Description: The pointer "bb" is dereferenced in the expression
> "bb->code" without being checked first.
> Fix: Replace "bb->code" with "&bb->code"
Looking at 2.6.20-rc5 now...
550: ret = upload_dma_data(sscape, bb->code, sizeof(bb->code));
665: if ( !access_ok(VERIFY_READ, bb->code, sizeof(bb->code)) )
Here's a test:
$ cat x.c
/*1*/ struct foo {
/*2*/ char bar[256];
/*3*/ };
/*4*/ int main(void) {
/*5*/ struct foo tmp;
/*6*/ char *x = tmp.bar;
/*7*/ char *y = &tmp.bar;
/*8*/ return 0;
/*9*/ }
$ cc x.c -Wall
x.c:7: warning: initialization from incompatible pointer type
Hence, &bb->code would be wrong. Really. (Talk to ##c or comp.lang.c
perhaps on details.)
>
> ========================
> File: block/scsi_ioctl.c
> Lines: 406, 427, 430, 482, 486
> Description: The pointer "sic" is dereferenced in the expression
> "sic->data" without being checked first.
> Fix: Replace "sic->code" with "&sic->code"
Same. sic->code decays into a char* when used.
This gets boring, I won't look at the others.
-`J'
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
