From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andi Kleen <ak@linux.intel.com>, Arnd Bergmann <arnd@arndb.de>,
Hoeun Ryu <hoeun.ryu@gmail.com>,
Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>,
linux-kernel@vger.kernel.org
Subject: [PATCH] uaccess: Zero destination buffer on overflow attempt
Date: Wed, 5 Jul 2017 13:01:13 -0700 [thread overview]
Message-ID: <20170705200113.GA146915@beast> (raw)
When the destination buffer size is known at build time but the runtime
size to copy into it is not known, the copy_from_user() will WARN when
it is too large and the copy_from_user() will fail. However, it was not
zeroing the destination buffer (for which it knows the correct size). This
fixes that corner case and adds a test for it in test_user_copy.c.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/uaccess.h | 5 +++--
lib/test_user_copy.c | 12 ++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 201418d5e15c..e350d81eb763 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -152,9 +152,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
if (likely(sz < 0 || sz >= n)) {
check_object_size(to, n, false);
n = _copy_from_user(to, from, n);
- } else if (!__builtin_constant_p(n))
+ } else if (!__builtin_constant_p(n)) {
copy_user_overflow(sz, n);
- else
+ memset(to, 0, sz);
+ } else
__bad_copy_user();
return n;
diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c
index 4621db801b23..c7a1da157c53 100644
--- a/lib/test_user_copy.c
+++ b/lib/test_user_copy.c
@@ -57,6 +57,8 @@ static int __init test_user_copy_init(void)
char __user *usermem;
char *bad_usermem;
unsigned long user_addr;
+ volatile int unconst = 0;
+ char charbuf[8];
u8 val_u8;
u16 val_u16;
u32 val_u32;
@@ -124,6 +126,7 @@ static int __init test_user_copy_init(void)
/* Prepare kernel memory with check values. */
memset(kmem, 0x5a, PAGE_SIZE);
memset(kmem + PAGE_SIZE, 0, PAGE_SIZE);
+ memset(charbuf, 0x6a, sizeof(charbuf));
/* Reject kernel-to-kernel copies through copy_from_user(). */
ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
@@ -134,6 +137,15 @@ static int __init test_user_copy_init(void)
ret |= test(memcmp(kmem + PAGE_SIZE, kmem, PAGE_SIZE),
"zeroing failure for illegal all-kernel copy_from_user");
+ /* Reject copies into too-small buffers. */
+ ret |= test(!copy_from_user(charbuf, usermem,
+ sizeof(charbuf) + 1 + unconst),
+ "illegal too-large copy_from_user passed");
+
+ /* Destination buffer should have been entirely zeroed. */
+ ret |= test(memcmp(kmem + PAGE_SIZE, charbuf, sizeof(charbuf)),
+ "zeroing failure for illegal too-large copy_from_user");
+
#if 0
/*
* When running with SMAP/PAN/etc, this will Oops the kernel
--
2.7.4
--
Kees Cook
Pixel Security
reply other threads:[~2017-07-05 20:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170705200113.GA146915@beast \
--to=keescook@chromium.org \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=egtvedt@samfundet.no \
--cc=hoeun.ryu@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.