From: Olof Johansson <olof@lixom.net>
To: Gwendal Grignou <gwendal@chromium.org>
Cc: rdunlap@infradead.org, olofj@chromium.org,
alan@lxorguk.ukuu.org.uk, cernekee@chromium.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] platform/chrome: cros_ec_dev - Fix security issue
Date: Sun, 6 Mar 2016 12:11:31 -0800 [thread overview]
Message-ID: <20160306201131.GE20171@localhost> (raw)
In-Reply-To: <1457031613-35255-1-git-send-email-gwendal@chromium.org>
Hi,
On Thu, Mar 03, 2016 at 11:00:13AM -0800, Gwendal Grignou wrote:
> Add a check to prevent memory scribble when sending an ioctl with .insize
> set so large that memory allocation argument overflows.
>
> Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
> ---
> drivers/platform/chrome/cros_ec_dev.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
> index d45cd25..0b2f730 100644
> --- a/drivers/platform/chrome/cros_ec_dev.c
> +++ b/drivers/platform/chrome/cros_ec_dev.c
> @@ -131,13 +131,23 @@ static ssize_t ec_device_read(struct file *filp, char __user *buffer,
> static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
> {
> long ret;
> + size_t data_size;
> struct cros_ec_command u_cmd;
> struct cros_ec_command *s_cmd;
>
> if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
> return -EFAULT;
>
> - s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
> + /*
> + * Prevent malicious attack where .insize is so big that amount
> + * kmalloc'ed rollover, allowing memcpy to write beyond the allocated
> + * space.
> + */
> + data_size = max(u_cmd.outsize, u_cmd.insize);
> + if (data_size + sizeof(*s_cmd) < data_size)
> + return -EINVAL;
> +
> + s_cmd = kmalloc(sizeof(*s_cmd) + data_size,
> GFP_KERNEL);
This test does work, but it's sort of silly to even try to allow almost 4GB of
allocation here.
How about you introduce a reasonable max size for a transaction instead
(256K?), and compare data_size with that? Might want to check with the EC folks
what they expect larges transactions to be from their side, and go with
a margin above that.
Also, in your commit message you should refer to the CVE this fixes.
-Olof
next prev parent reply other threads:[~2016-03-06 22:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-01 20:33 Security hole in cros_ec_dev.c on 32bit chrome hosts Alan Cox
2016-03-03 5:58 ` [PATCH] platform/chrome: cros_ec_dev - Fix security issue Gwendal Grignou
2016-03-03 18:35 ` Randy Dunlap
2016-03-03 19:00 ` [PATCH v2] " Gwendal Grignou
2016-03-06 20:11 ` Olof Johansson [this message]
2016-03-08 17:02 ` Gwendal Grignou
2016-03-08 17:13 ` [PATCH v3] " Gwendal Grignou
2016-05-11 17:58 ` Olof Johansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160306201131.GE20171@localhost \
--to=olof@lixom.net \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cernekee@chromium.org \
--cc=gwendal@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olofj@chromium.org \
--cc=rdunlap@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.