From: "Michael S. Tsirkin" <mst@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Jason Wang <jasowang@redhat.com>,
Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>,
Tom Herbert <therbert@google.com>,
Masatake YAMATO <yamato@redhat.com>, Xi Wang <xii@google.com>,
stephen hemminger <stephen@networkplumber.org>,
netdev@vger.kernel.org
Subject: Re: [PATCH] tun: make sure interface usage can not overflow
Date: Mon, 29 Sep 2014 15:02:28 +0300 [thread overview]
Message-ID: <20140929120228.GA1151@redhat.com> (raw)
In-Reply-To: <20140929114849.GA913@redhat.com>
On Mon, Sep 29, 2014 at 02:48:49PM +0300, Michael S. Tsirkin wrote:
> On Sun, Sep 28, 2014 at 04:27:53PM -0700, Kees Cook wrote:
> > This makes the size argument a const, since it is always populated by
> > the caller. Additionally double-checks to make sure the copy_from_user
> > can never overflow, keeping CONFIG_DEBUG_STRICT_USER_COPY_CHECKS happy:
> >
> > In function 'copy_from_user',
> > inlined from '__tun_chr_ioctl' at drivers/net/tun.c:1871:7:
> > ... copy_from_user() buffer size is not provably correct
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
>
> What exactly is the issue here?
> __tun_chr_ioctl is called with sizeof(struct compat_ifreq)
> or sizeof (struct ifreq) as the last argument.
>
> So this looks like a false positive, but
> CONFIG_DEBUG_STRICT_USER_COPY_CHECKS machinery is supposed
> to avoid false positives.
>
> On which architecture is this?
Also - which kernel?
Does your kernel include: commit 3df7b41aa5e7797f391d0a41f8b0dce1fe366a09
x86: Unify copy_from_user() size checking
?
> > ---
> > drivers/net/tun.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index acaaf6784179..a1f317cba206 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -1855,7 +1855,7 @@ unlock:
> > }
> >
> > static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
> > - unsigned long arg, int ifreq_len)
> > + unsigned long arg, const size_t ifreq_len)
> > {
> > struct tun_file *tfile = file->private_data;
> > struct tun_struct *tun;
> > @@ -1869,6 +1869,7 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
> > int ret;
> >
> > if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
> > + BUG_ON(ifreq_len > sizeof(ifr));
> > if (copy_from_user(&ifr, argp, ifreq_len))
> > return -EFAULT;
> > } else {
> > --
> > 1.9.1
> >
> >
> > --
> > Kees Cook
> > Chrome OS Security
next prev parent reply other threads:[~2014-09-29 11:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-28 23:27 [PATCH] tun: make sure interface usage can not overflow Kees Cook
2014-09-29 11:04 ` David Laight
2014-09-29 19:41 ` Kees Cook
2014-09-29 20:04 ` Hannes Frederic Sowa
2014-09-30 8:20 ` David Laight
2014-09-30 8:20 ` David Laight
2014-09-30 11:03 ` Hannes Frederic Sowa
2014-09-30 11:18 ` David Laight
2014-09-30 11:18 ` David Laight
2014-09-30 12:03 ` Hannes Frederic Sowa
2014-09-29 11:48 ` Michael S. Tsirkin
2014-09-29 12:02 ` Michael S. Tsirkin [this message]
2014-09-29 19:48 ` Kees Cook
2014-09-30 11:29 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140929120228.GA1151@redhat.com \
--to=mst@redhat.com \
--cc=davem@davemloft.net \
--cc=jasowang@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=therbert@google.com \
--cc=wuzhy@linux.vnet.ibm.com \
--cc=xii@google.com \
--cc=yamato@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.