| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Aug 2017 09:44:45 +0800 (CST)
From: sohu0106 <sohu0106@....com>
To: "Heiko Carstens" <heiko.carstens@...ibm.com>
Cc: schwidefsky@...ibm.com, linux-s390@...r.kernel.org,
torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org
Subject: Re:Re: drivers/s390/char/keyboard.c NULL pointer reference
I don't understand a bit,My idea is
in userland
fd=open("tty3270",O_RDONLY)
...
ret=ioctl(fd,KDGKBDIACR,NULL)
...
then here
drivers/s390/char/keyboard.c
477
case KDGKBDIACR:
{
struct kbdiacrs __user *a = argp;
struct kbdiacr diacr;
int i;
//a is NULL,a->kb_cnt will crash
if (put_user(kbd->accent_table_size, &a->kb_cnt))
At 2017-08-04 17:26:08, "Heiko Carstens" <heiko.carstens@...ibm.com> wrote:
>On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote:
>>
>>
>> Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash
>>
>>
>>
>>
>> diff --git a/keyboard.c
>> b/keyboard.c
>> index ba0e4f9..3ec16b1 100644
>> --- a/keyboard.c
>> +++ b/keyboard.c
>> @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
>> int perm;
>>
>> argp = (void __user *)arg;
>> + if( !argp )
>> + return -EFAULT;
>
>This doesn't make sense as well. All uaccess functions are able to handle
>NULL pointers within user space.
>
Powered by blists - more mailing lists