From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Pengfei Wang <wpengfeinudt@gmail.com>,
Michael Holzheu <holzheu@linux.vnet.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Juerg Haefliger <juerg.haefliger@hpe.com>
Subject: [PATCH 3.14 09/11] s390/sclp_ctl: fix potential information leak with /dev/sclp
Date: Fri, 9 Sep 2016 17:33:44 +0200 [thread overview]
Message-ID: <20160909153157.619954072@linuxfoundation.org> (raw)
In-Reply-To: <20160909153156.152470606@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/char/sclp_ctl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/s390/char/sclp_ctl.c
+++ b/drivers/s390/char/sclp_ctl.c
@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __us
{
struct sclp_ctl_sccb ctl_sccb;
struct sccb_header *sccb;
+ unsigned long copied;
int rc;
if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __us
sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sccb)
return -ENOMEM;
- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
+ copied = PAGE_SIZE -
+ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
+ if (offsetof(struct sccb_header, length) +
+ sizeof(sccb->length) > copied || sccb->length > copied) {
rc = -EFAULT;
goto out_free;
}
- if (sccb->length > PAGE_SIZE || sccb->length < 8)
- return -EINVAL;
- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
- rc = -EFAULT;
+ if (sccb->length < 8) {
+ rc = -EINVAL;
goto out_free;
}
rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
next prev parent reply other threads:[~2016-09-09 15:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160909153350uscas1p21aff690b4a974b74b05dd6391f4fc8a1@uscas1p2.samsung.com>
2016-09-09 15:33 ` [PATCH 3.14 00/11] 3.14.79-stable review Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 01/11] Revert "can: fix handling of unmodifiable configuration options fix" Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 02/11] be2iscsi: Fix bogus WARN_ON length check Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 03/11] HID: hid-input: Add parentheses to quell gcc warning Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 04/11] ALSA: oxygen: Fix logical-not-parentheses warning Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 05/11] [media] stb6100: fix buffer length check in stb6100_write_reg_range() Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 06/11] ext4: validate that metadata blocks do not overlap superblock Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 08/11] rds: fix an infoleak in rds_inc_info_copy Greg Kroah-Hartman
2016-09-09 15:33 ` Greg Kroah-Hartman [this message]
2016-09-09 15:33 ` [PATCH 3.14 10/11] fix d_walk()/non-delayed __d_free() race Greg Kroah-Hartman
2016-09-09 15:33 ` [PATCH 3.14 11/11] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED Greg Kroah-Hartman
2016-09-09 22:32 ` [PATCH 3.14 00/11] 3.14.79-stable review Shuah Khan
2016-09-10 7:17 ` Greg Kroah-Hartman
2016-09-10 2:19 ` Guenter Roeck
2016-09-10 7:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160909153157.619954072@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=holzheu@linux.vnet.ibm.com \
--cc=juerg.haefliger@hpe.com \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.