lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200611281249.45243.oliver@neukum.org>
Date:	Tue, 28 Nov 2006 12:49:45 +0100
From:	Oliver Neukum <oliver@...kum.org>
To:	Eric Piel <Eric.Piel@...mplin-utc.net>
Cc:	Laurent Bigonville <l.bigonville@...net.be>,
	linux-kernel@...r.kernel.org
Subject: Re: O2micro smartcard reader driver.


> Latest version I've published is there:
> http://pieleric.free.fr/o2scr/

        case OZSCR_OPEN: /* Request ICC */
            dprintk("OZSCR_OPEN\n");
            ATRLength = ATR_SIZE;
            pRdrExt->IOBase = (PSCR_REGISTERS *) dev->io_base; //XXX necessary?
            pRdrExt->membase = dev->am_base; //XXX necessary?

            pRdrExt->m_SCard.AvailableProtocol = 0;
            pRdrExt->m_SCard.RqstProtocol = 0;
            dprintk("membase:%p\n", pRdrExt->membase);
            dprintk("ioport:0x%03x\n", (unsigned)pRdrExt->IOBase);

            ret = CmdResetReader( pRdrExt, FALSE, ATRBuffer, &ATRLength );
            apdu.LengthOut = ATRLength;

#ifdef PCMCIA_DEBUG
            printk(KERN_DEBUG "Open finished, ATR buffer = ");
            for( ATRLength = 0; ATRLength < apdu.LengthOut; ATRLength++ )
                printk(" [%02X] ", ATRBuffer[ATRLength] );
            printk("\n");
#endif

            memcpy( apdu.DataOut, ATRBuffer, ATRLength );
            ret = copy_to_user((struct ozscr_apdu *)arg, &apdu, sizeof(struct ozscr_apdu));
            break;

1. This needs locking against concurrent ioctls
2. The interpretation of copy_to_user()'s return code is incorrect

            ret = copy_from_user(&apdu, (struct ozscr_apdu *)arg, sizeof(struct ozscr_apdu));
You need to check ret, or you might write shit to the device
            pRdrExt->IOBase = (PSCR_REGISTERS *) dev->io_base;
            pRdrExt->membase = dev->am_base;
            pRdrExt->m_SCard.RqstProtocol = apdu.DataIn[6];
            dprintk("membase:%p\n", pRdrExt->membase);
            dprintk("ioport:0x%03x\n", (unsigned)pRdrExt->IOBase);
            ret = CmdResetReader( pRdrExt, FALSE, ATRBuffer, &ATRLength );

	HTH
		Oliver
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ