From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Eric Paris <eparis@redhat.com>, Jan Kara <jack@suse.cz>
Subject: Re: [PATCH] fanotify: prove that structure size is correct
Date: Thu, 02 Oct 2014 20:56:37 +0200 [thread overview]
Message-ID: <542D9FE5.3010009@gmx.de> (raw)
In-Reply-To: <20140928233538.GA31345@www.outflux.net>
On 29.09.2014 01:35, Kees Cook wrote:
> When building with CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, this copy_to_user
> wasn't provably correct (the length was in a variable but the structure
> wasn't). The compiler wasn't able to check that the length was being
> statically assigned, so include a BUG_ON to notice if this ever changes.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> fs/notify/fanotify/fanotify_user.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> index b13992a41bd9..7bdb43222875 100644
> --- a/fs/notify/fanotify/fanotify_user.c
> +++ b/fs/notify/fanotify/fanotify_user.c
> @@ -216,6 +216,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
>
> fd = fanotify_event_metadata.fd;
> ret = -EFAULT;
> + BUG_ON(fanotify_event_metadata.event_len != FAN_EVENT_METADATA_LEN);
Thank you for indicating an inconsistency in fanotify_user.c
In fanotify_user.c a mismatch exists between the assumptions made in
get_one_event() and copy_event_to_user().
According to the fanotify.7 man page:
"FAN_EVENT_METADATA_LEN - This is the minimum size (and currently the
only size) of any event metadata."
get_one_event() assumes that the event metadata has a length of
FAN_EVENT_METADATA_LEN and does not care about the value of event_len.
copy_event_to_user() assumes that event_len specifies the length of the
event metadata and does not care about FAN_EVENT_METADATA_LEN.
Due to these different assumptions it cannot be proven inside
fanotify_user.c that copy_to_user() is called correctly.
If we want such a prove inside fanotify_user.c, we should change
get_one_event() to use the following:
// Get the event without removing it from the group.
fsnotify_event *evt = fsnotify_peek_notify_event(group);
// Check we have enough user memory to copy the event.
if (evt->event_len > count)
return ERR_PTR(-EINVAL);
// Remove the event from the group.
fsnotify_remove_notify_event(group);
// Return the pointer we tested.
// fanotify_remove_notify_event() should return the same pointer.
return evt;
If after this change you still want a BUG_ON, pass count to
copy_event_to_user() and write
BUG_ON(fanotify_event_metadata.event_len > count);
Best regards
Heinrich Schuchardt
> if (copy_to_user(buf, &fanotify_event_metadata,
> fanotify_event_metadata.event_len))
> goto out_close_fd;
>
prev parent reply other threads:[~2014-10-02 18:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-28 23:35 [PATCH] fanotify: prove that structure size is correct Kees Cook
2014-10-02 18:56 ` Heinrich Schuchardt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542D9FE5.3010009@gmx.de \
--to=xypron.glpk@gmx.de \
--cc=eparis@redhat.com \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.