On Wed, Jun 02, 2004 at 10:42:43PM +0200, Christoph Hellwig wrote:
> On Wed, Jun 02, 2004 at 10:48:46PM +0200, Sven Luther wrote:
> > Known security problems ? All known problems of 2.4.25 have been fixed
> > and backported from later kernels, so i don't really see what we would
> > gain by going to 2.4.26, apart from uniformity over all arches.
>
> I don't have the time right know, but from looking through the diffs
> I'll surely be able to point you to a bunch of driver fixes that could
> allow exploits but no one bothered enough to try and write up a big
> bugtraq mail.
this was from 30 seconds looking at the diff, so I haven't checked
whether it's actually coming from an an unprivilegued entry point.
If it did we'd have a nice integer overflow and afterwards scrambling
over random memory:
diff -Nru a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
--- a/net/bluetooth/hci_conn.c 2004-06-02 22:48:10 +02:00
+++ b/net/bluetooth/hci_conn.c 2004-06-02 22:48:10 +02:00
@@ -358,21 +358,24 @@
struct hci_conn_info *ci;
struct hci_dev *hdev;
struct list_head *p;
- int n = 0, size;
+ int n = 0, size, err;
if (copy_from_user(&req, (void *) arg, sizeof(req)))
return -EFAULT;
- if (!(hdev = hci_dev_get(req.dev_id)))
- return -ENODEV;
-
- size = req.conn_num * sizeof(struct hci_conn_info) + sizeof(req);
+ if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
+ return -EINVAL;
- if (verify_area(VERIFY_WRITE, (void *)arg, size))
- return -EFAULT;
+ size = sizeof(req) + req.conn_num * sizeof(*ci);
if (!(cl = (void *) kmalloc(size, GFP_KERNEL)))
return -ENOMEM;
