Suspicious code in i2c-dev.c
Russell King
rmk en arm.linux.org.uk
Dom Ene 23 00:49:06 CST 2000
Hi,
Looking through i2c-dev.c, I noticed the following code, which appears
to be wrong:
/* copy user space data to kernel space. */
tmp = kmalloc(count,GFP_KERNEL);
if (tmp==NULL)
return -ENOMEM;
#ifdef DEBUG
printk("i2c-dev,o: i2c-%d reading %d bytes.\n",MINOR(inode->i_rdev),count);
#endif
ret = i2c_master_recv(client,tmp,count);
copy_to_user(buf,tmp,count);
kfree(tmp);
return ret;
for the following reasons:
1. If i2c_master_recv does not write to `tmp' but returns an error,
copy_to_user will copy uninitialised kernel memory to the user,
possibly from another user process - security concern.
2. copy_to_user may fault, and if this is the case, the user will
never know (the user will not see the EFAULT error code returned).
There are more instances of point 2, including some with copy_from_user.
_____
|_____| ------------------------------------------------- ---+---+-
| | Russell King rmk en arm.linux.org.uk --- ---
| | | | http://www.arm.linux.org.uk/~rmk/aboutme.html / / |
| +-+-+ --- -+-
/ | THE developer of ARM Linux |+| /|\
/ | | | --- |
+-+-+ ------------------------------------------------- /\\\ |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Más información sobre la lista de distribución Ayuda