lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20061012002101.2acca0dd.akpm@osdl.org>
Date:	Thu, 12 Oct 2006 00:21:01 -0700
From:	Andrew Morton <akpm@...l.org>
To:	"J R" <x-list-subscriptions@...mail.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Bugs in (2.6.18) from static analysis tool

On Wed, 11 Oct 2006 22:06:22 -0700
"J R" <x-list-subscriptions@...mail.com> wrote:

> Hi,
> 
> We are in the final stages of refining a new static analysis framework and 
> are testing it out on various large open source software projects (like 
> other ventures in this space).
> 
> Unlike other enterprises, we are making a linux intraprocedural analysis 
> tool openly available in binary form to allow our results to be reproduced 
> and validated. Ditto the bug lists.
> 
> Although this is commercial software, our team are all strong OS advocates 
> and contributors. We hope to release some components of this project on an 
> OS basis just as soon as we can trash out a solid plan which allows this 
> while also enabling us to purchase food.
> 
> I've only attached 1 or 2 bugs at the end here (the full list is about 10K 
> ascii text), there are at www.cqsat.com/linux.html#bugs. There's about 50 
> and I recon 20 or so are both real and not yet identified.
> 
> Any comments/issues/feedback is appreciated.
> 

useful, thanks.

> 
> ==============================================================================
> SEVERITY=[SERIOUS]
> ISSUE=[Tainted expression (tmp).kb_table used as an index in this context. 
> Expression bounds: [Upper bound unchecked]. Tracking "(tmp).kb_table": 
> unsigned, 8 bit(s)]
> SOURCE=[/p0/working/Downloads/linux-2.6.9/drivers/char/vt_ioctl.c, line 83]
> SINK=[/p0/working/Downloads/linux-2.6.9/drivers/char/vt_ioctl.c, line 88]
> ORIGINATOR=[cqsat]
> 
>       80:     struct kbentry tmp;
>       81:     ushort *key_map, val, ov;
>       82:
>       83:     if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
>           	^^^---------^^^----------^^^
>           	START
>       84:         return -EFAULT;
>       86:     switch (cmd) {
>       87:     case KDGKBENT:
>       88:         key_map = key_maps[s];
>           	^^^---------^^^----------^^^
>           	ERROR
>       89:         if (key_map) {
>       90:             val = U(key_map[i]);
>       91:             if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= 
> NR_TYPES)
>       92:             val = K_HOLE;

Yup, that's a bug.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ