[Bugme-new] [Bug 11408] New: another possible buffer-overflow bug in applicom.c

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Fri Aug 22 15:07:22 PDT 2008


http://bugzilla.kernel.org/show_bug.cgi?id=11408

           Summary: another possible buffer-overflow bug in applicom.c
           Product: Drivers
           Version: 2.5
     KernelVersion: 2.6.26
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Flash/Memory Technology Devices
        AssignedTo: dwmw2 at infradead.org
        ReportedBy: zrakamar at cs.ubc.ca
                CC: zrakamar at cs.ubc.ca


Hi,

first of all, I appreciate your quick response regarding the bug related to the
same file (applicom.c) I submitted recently (Bug #11397). If you ever get to
taking a closer look and maybe fixing that one, here is another one from the
same file.

Problem Description:

Here is the part of code from applicom.c (function ac_ioctl) showing what I
think is a possible buffer-overflow bug:

.....
  IndexCard = adgl->num_card-1;

  if(cmd != 0 && cmd != 6 &&
      ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
    static int warncount = 10;
    if (warncount) {
      printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number
%d\n",(int)IndexCard+1);
      warncount--;
    }
    kfree(adgl);
    return -EINVAL;
  }

  switch (cmd) {

  case 0:
    pmem = apbs[IndexCard].RamIO;
....


Explanation:

If cmd == 0 (or cmd == 6) then IndexCard is not going to be checked for size in
this if statement:
  if(cmd != 0 && cmd != 6 &&
      ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {

which means that when we hit this case:
  case 0:
    pmem = apbs[IndexCard].RamIO;

it is possible that IndexCard >= MAX_BOARD and we have a buffer overflow.

There is a possibility, however, that there is an implicit, complex invariant
that whenever cmd == 0 or cmd == 6, IndexCard is never going to be out of
bounds and therefore doesn't have to be checked. Then this bug wouldn't happen,
but I think this is still a pretty bas coding practice.

Any explanation would be greatly appreciated.

Thanks!
-- Zvonimir


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the Bugme-new mailing list