[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-aacraid-devel
Subject: RE: 2.4.23: possible user/kernel pointer bug in commctrl.c
From: "Salyzyn, Mark" <mark_salyzyn () adaptec ! com>
Date: 2004-01-13 21:22:06
Message-ID: C2CB6D8BA015124783C0EB9B33D24FFD0481BD () otcexc01 ! otc ! adaptec ! com
[Download RAW message or body]
aac_send_raw_srb is called by management software, the dependency on bounds
checking is left with the (proprietary) application software. The only
management software that utilizes this ioctl command, I believe, is used to
flash new firmware on to the drives.
The 64 bit handling *is* flawed, and that code is only triggered (in
Adaptec's code base) when there is in fact more than 4GB of memory in the
system, the card is 64 bit capable *and* the kernel has been configured for
more than 4GB of access. I will fix this problem, but it will not affect the
general stability of the driver.
Thanks for pointing out the error of our ways.
Sincerely -- Mark Salyzyn
-----Original Message-----
From: linux-aacraid-devel-admin@dell.com
[mailto:linux-aacraid-devel-admin@dell.com] On Behalf Of Robert T. Johnson
Sent: Tuesday, January 13, 2004 3:50 PM
To: linux-aacraid-devel@dell.com
Subject: 2.4.23: possible user/kernel pointer bug in commctrl.c
This code looks very suspicious to me, but I thought I'd get a second
opionion:
In drivers/scsi/aacraid/commctrl.c:aac_send_raw_srb()
line 422: fibsize is copied from userspace
line 428: fibsize bytes are copied from userspace
No bounds-checking is done. CAP_SYS_ADMIN is checked above but this
still looks bad.
Later in the same function:
line 462: struct sgmap64* psg = (struct sgmap64*)&srbcmd->sg;
line 494: copy_from_user(p,psg->sg[i].addr,psg->sg[i].count)
Since psg is an sgmap64 (not a regular sgmap), psg->sg[i].addr is an
array of two elements (to hold the upper and lower halves of the
address). So it looks like this code is just copying the address itself
(and random bytes that follow), not the data pointed to by the address.
Is this really what was intended? As it is, it looks like it won't work
at all.
Are these real bugs, or am I just confused? Thanks for any help.
Best,
Rob
_______________________________________________
Linux-aacraid-devel mailing list
Linux-aacraid-devel@dell.com
http://lists.us.dell.com/mailman/listinfo/linux-aacraid-devel
Please read the FAQ at http://lists.us.dell.com/faq or search the list
archives at http://lists.us.dell.com/htdig/
_______________________________________________
Linux-aacraid-devel mailing list
Linux-aacraid-devel@dell.com
http://lists.us.dell.com/mailman/listinfo/linux-aacraid-devel
Please read the FAQ at http://lists.us.dell.com/faq or search the list archives at \
http://lists.us.dell.com/htdig/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic