From: Cyrill Gorcunov <gorcunov@gmail.com>
To: David Wagner <daw-news@cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: buffer overflow in /proc/sys/sunrpc/transports
Date: Sun, 31 Aug 2008 12:37:53 +0400 [thread overview]
Message-ID: <20080831083753.GA7391@lenovo> (raw)
In-Reply-To: <g9cj5n$tjv$1@taverner.cs.berkeley.edu>
[David Wagner - Sat, Aug 30, 2008 at 10:55:51PM +0000]
| Cyrill Gorcunov wrote:
| >Index: linux-2.6.git/net/sunrpc/sysctl.c
| >===================================================================
| >--- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-07-20 11:40:14.000000000 +0400
| >+++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-30 23:05:30.000000000 +0400
| >@@ -69,6 +69,8 @@ static int proc_do_xprt(ctl_table *table
| > return -EINVAL;
| > else {
| > len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
| >+ if (*lenp < len)
| >+ return -EFAULT;
| > if (!access_ok(VERIFY_WRITE, buffer, len))
| > return -EFAULT;
|
| 1. Would it be better to use copy_to_user() rather than
| access_ok() followed immediately by __copy_to_user()?
|
| 2. Is it OK to dereference *lenp directly? Is lenp a pointer into user
| memory or kernel memory? If it points to user memory, why is it safe to
| dereference it directly? (What about TOCTTOU bugs?) Should there be
| some sparse annotations here to ensure the code is not dereferencing
| user pointers directly? Later on, proc_do_xprt() also dereferences
| *lenp and *ppos directly.
Didn't check for this - will do.
|
| 3. 'len' is declared as a signed int. len will be converted to size_t
| before doing the comparison, so if len can ever be negative (e.g.,
| svc_print_xprts() returns -1 because of an error), this patch will do
| the wrong thing. Looks like the current definition of svc_print_xprts()
| won't ever do that, as that code currently stands, so at present this
| is not a bug. However from a security point of view there are benefits
| to code whose correctness is 'locally obvious', all else being equal.
| In particular this seems like a possible maintenance hazard. Would it be
| better to use type size_t for lengths like this that are never supposed
| to be negative?
|
| 4. Is proc_dostring() relevant here?
|
Yes David, I think proc_dostring is better candidate to use here, thanks!
- Cyrill -
next prev parent reply other threads:[~2008-08-31 8:38 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-30 18:44 buffer overflow in /proc/sys/sunrpc/transports Vegard Nossum
2008-08-30 19:06 ` Cyrill Gorcunov
2008-08-30 19:15 ` Vegard Nossum
2008-08-30 19:21 ` Cyrill Gorcunov
2008-08-30 19:23 ` Cyrill Gorcunov
2008-08-30 19:34 ` Vegard Nossum
2008-08-30 19:44 ` Cyrill Gorcunov
2008-08-30 19:42 ` Vegard Nossum
2008-08-30 19:45 ` Cyrill Gorcunov
2008-08-30 19:56 ` Cyrill Gorcunov
2008-08-30 19:59 ` Vegard Nossum
2008-08-30 20:04 ` Cyrill Gorcunov
2008-08-30 20:13 ` Vegard Nossum
2008-08-30 20:15 ` Cyrill Gorcunov
2008-08-30 20:29 ` Cyrill Gorcunov
2008-08-30 22:55 ` David Wagner
2008-08-31 8:37 ` Cyrill Gorcunov [this message]
2008-08-31 10:30 ` Cyrill Gorcunov
2008-08-31 10:37 ` Cyrill Gorcunov
2008-08-30 20:20 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080831083753.GA7391@lenovo \
--to=gorcunov@gmail.com \
--cc=daw-news@cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.