From: Mike Snitzer <snitzer@redhat.com>
To: Alasdair G Kergon <agk@redhat.com>
Cc: dm-devel@redhat.com, Mikulas Patocka <mpatocka@redhat.com>
Subject: Re: [PATCH 2/3] dm-ioctl: fix unsafe use of dm_ioctl.data_size
Date: Thu, 6 Dec 2012 18:30:28 -0500 [thread overview]
Message-ID: <20121206233027.GA781@redhat.com> (raw)
In-Reply-To: <20121206212216.GJ6834@agk.fab.redhat.com>
On Thu, Dec 06 2012 at 4:22pm -0500,
Alasdair G Kergon <agk@redhat.com> wrote:
> I don't think we need to support the situation when the value changes during
> the copying of the parameters, so how about something more like this instead?
>
> Alasdair
>
>
> From: Alasdair G Kergon <agk@redhat.com>
>
> Abort dm ioctl processing if userspace changes the data_size parameter
> after we validated it but before we finished copying the data buffer
> from userspace.
>
> The dm ioctl parameters are processed in the following sequence:
> 1. ctl_ioctl() calls copy_params();
> 2. copy_params() makes a first copy of the fixed-sized portion of the
> userspace parameters into the local variable "tmp";
> 3. copy_params() then validates tmp.data_size and allocates a new
> structure big enough to hold the complete data and copies the whole
> userspace buffer there;
> 4. ctl_ioctl() reads userspace data the second time and copies the whole
> buffer into the pointer "param";
> 5. ctl_ioctl() reads param->data_size without any validation and stores it
> in the variable "input_param_size";
> 6. "input_param_size" is further used as the authoritative size of the
> kernel buffer.
>
> The problem is that userspace code could change the contents of user
> memory between steps 2 and 4. In particular, the data_size parameter
> can be changed to an invalid value after the kernel has validated it.
> This lets userspace force the kernel to access invalid kernel memory.
>
> The fix is to ensure that the size has not changed at step 4.
>
> This patch shouldn't have a security impact because CAP_SYS_ADMIN is
> required to run this code, but it should be fixed anyway.
>
> Reported-by: Mikulas Patocka <mpatocka@redhat.com>
> Signed-off-by: Alasdair G Kergon <agk@redhat.com>
> Cc: stable@kernel.org
Looks good.
Acked-by: Mike Snitzer <snitzer@redhat.com>
next prev parent reply other threads:[~2012-12-06 23:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-23 0:19 [PATCH 1/3] dm-ioctl: don't use PF_MEMALLOC Mikulas Patocka
2012-11-23 0:20 ` [PATCH 2/3] dm-ioctl: fix unsafe use of dm_ioctl.data_size Mikulas Patocka
2012-11-23 0:21 ` [PATCH 3/3] dm-ioctl: use kmalloc if possible Mikulas Patocka
2012-12-06 21:22 ` [PATCH 2/3] dm-ioctl: fix unsafe use of dm_ioctl.data_size Alasdair G Kergon
2012-12-06 23:30 ` Mike Snitzer [this message]
2012-12-07 2:53 ` Mikulas Patocka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121206233027.GA781@redhat.com \
--to=snitzer@redhat.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=mpatocka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.