[Bugme-new] [Bug 11408] New: another possible buffer-overflow bug in applicom.c
bugme-daemon at bugzilla.kernel.org
bugme-daemon at bugzilla.kernel.org
Fri Aug 22 15:07:22 PDT 2008
http://bugzilla.kernel.org/show_bug.cgi?id=11408
Summary: another possible buffer-overflow bug in applicom.c
Product: Drivers
Version: 2.5
KernelVersion: 2.6.26
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Flash/Memory Technology Devices
AssignedTo: dwmw2 at infradead.org
ReportedBy: zrakamar at cs.ubc.ca
CC: zrakamar at cs.ubc.ca
Hi,
first of all, I appreciate your quick response regarding the bug related to the
same file (applicom.c) I submitted recently (Bug #11397). If you ever get to
taking a closer look and maybe fixing that one, here is another one from the
same file.
Problem Description:
Here is the part of code from applicom.c (function ac_ioctl) showing what I
think is a possible buffer-overflow bug:
.....
IndexCard = adgl->num_card-1;
if(cmd != 0 && cmd != 6 &&
((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
static int warncount = 10;
if (warncount) {
printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number
%d\n",(int)IndexCard+1);
warncount--;
}
kfree(adgl);
return -EINVAL;
}
switch (cmd) {
case 0:
pmem = apbs[IndexCard].RamIO;
....
Explanation:
If cmd == 0 (or cmd == 6) then IndexCard is not going to be checked for size in
this if statement:
if(cmd != 0 && cmd != 6 &&
((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
which means that when we hit this case:
case 0:
pmem = apbs[IndexCard].RamIO;
it is possible that IndexCard >= MAX_BOARD and we have a buffer overflow.
There is a possibility, however, that there is an implicit, complex invariant
that whenever cmd == 0 or cmd == 6, IndexCard is never going to be out of
bounds and therefore doesn't have to be checked. Then this bug wouldn't happen,
but I think this is still a pretty bas coding practice.
Any explanation would be greatly appreciated.
Thanks!
-- Zvonimir
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Bugme-new
mailing list