[PATCH] RTAS syscall NULL ptr deref (2.6)

John Rose johnrose at austin.ibm.com
Sat Feb 28 03:16:09 EST 2004


Hi Ben-

> Can you quickly explain how the code could do a NULL ptr deref in
> the first place ? (and how taht's fixed).

Heh sure.  The rets member of the rtas_args structure is an int pointer
into the args member, which is an int array.  Initially, I didn't set
the "rets" ptr in this syscall, because I didn't need it in the
function, and it wouldn't be useful to userspace when copied out.

The following lines were more recently added to log hardware errors:
+ 	if (args.rets[0] == -1)
+  		log_rtas_error(&args);

Since rets was unassigned in this case, we're reading at a bad address.
The following line fixes the problem:
+     args.rets  = (rtas_arg_t *)&(args.args[nargs]);

Thanks-
John


** Sent via the linuxppc64-dev mail list. See http://lists.linuxppc.org/





More information about the Linuxppc64-dev mailing list