Re: [PATCH] staging:wlan-ng: use memdup_user instead of kmalloc/copy_from_user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Michal Hocko <mhocko@suse.com>
Cc: Ivan Safonov <insafonov@gmail.com>,
	devel@driverdev.osuosl.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org,
	Johannes Weiner <hannes@cmpxchg.org>,
	Waiman Long <longman@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Allen Pais <apais@linux.microsoft.com>,
	Abheek Dhawan <adawesomeguy222@gmail.com>
Subject: Re: [PATCH] staging:wlan-ng: use memdup_user instead of kmalloc/copy_from_user
Date: Mon, 15 Feb 2021 16:26:04 +0300	[thread overview]
Message-ID: <20210215132604.GO2087@kadam> (raw)
In-Reply-To: <YCo0aAMajx0AG7JM@dhcp22.suse.cz>

On Mon, Feb 15, 2021 at 09:44:24AM +0100, Michal Hocko wrote:
> On Sat 13-02-21 15:05:28, Ivan Safonov wrote:
> > memdup_user() is shorter and safer equivalent
> > of kmalloc/copy_from_user pair.
> > 
> > Signed-off-by: Ivan Safonov <insafonov@gmail.com>
> > ---
> >  drivers/staging/wlan-ng/p80211netdev.c | 28 ++++++++++++--------------
> >  1 file changed, 13 insertions(+), 15 deletions(-)
> > 
> > diff --git a/drivers/staging/wlan-ng/p80211netdev.c b/drivers/staging/wlan-ng/p80211netdev.c
> > index a15abb2c8f54..6f9666dc0277 100644
> > --- a/drivers/staging/wlan-ng/p80211netdev.c
> > +++ b/drivers/staging/wlan-ng/p80211netdev.c
> > @@ -569,24 +569,22 @@ static int p80211knetdev_do_ioctl(struct net_device *dev,
> >  		goto bail;
> >  	}
> >  
> > -	/* Allocate a buf of size req->len */
> > -	msgbuf = kmalloc(req->len, GFP_KERNEL);
> > -	if (msgbuf) {
> > -		if (copy_from_user(msgbuf, (void __user *)req->data, req->len))
> > -			result = -EFAULT;
> > -		else
> > -			result = p80211req_dorequest(wlandev, msgbuf);
> > +	msgbuf = memdup_user(req->data, req->len);
> 
> Move to memdup_user is definitely a right step. What is the range of
> req->len though? If this can be larger than PAGE_SIZE then vmemdup_user
> would be a better alternative.

req->len shoudn't be anywhere close to PAGE_SIZE but it's actually
important to check req->len and this code does not do that which leads
to memory corruption:

drivers/staging/wlan-ng/p80211netdev.c
   566                  goto bail;
   567          } else if (cmd != P80211_IFREQ) {
   568                  result = -EINVAL;
   569                  goto bail;
   570          }
   571  
   572          msgbuf = memdup_user(req->data, req->len);
   573          if (IS_ERR(msgbuf)) {
   574                  result = PTR_ERR(msgbuf);
   575                  goto bail;
   576          }
   577  
   578          result = p80211req_dorequest(wlandev, msgbuf);

We don't know that "req->len" is >= sizeof(*msgbuf), and then we pass
msgbuf top80211req_dorequest() which calls p80211req_handlemsg().  In
p80211req_handlemsg() then "req->len" has to be larger than
sizeof(struct p80211msg_lnxreq_hostwep).

   579  
   580          if (result == 0) {
   581                  if (copy_to_user
   582                      ((void __user *)req->data, msgbuf, req->len)) {
   583                          result = -EFAULT;
   584                  }
   585          }
   586          kfree(msgbuf);
   587  
   588  bail:
   589          /* If allocate,copyfrom or copyto fails, return errno */
   590          return result;
   591  }

Smatch has a problem parsing this code because struct ifreq *ifr is a
union and Smatch gets confused.  :/

regards,
dan carpenter

     prev parent reply	other threads:[~2021-02-15 13:29 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-13 12:05 [PATCH] staging:wlan-ng: use memdup_user instead of kmalloc/copy_from_user Ivan Safonov
2021-02-15  8:44 ` Michal Hocko
2021-02-15 13:26   ` Dan Carpenter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210215132604.GO2087@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=adawesomeguy222@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=apais@linux.microsoft.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hannes@cmpxchg.org \
    --cc=insafonov@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=longman@redhat.com \
    --cc=mhocko@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.