From: Andi Kleen <andi@firstfloor.org>
To: ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH 2/2] Ocfs2: Implement new OCFS2_IOC_INFO ioctl for ocfs2.
Date: Fri, 27 Nov 2009 21:23:36 +0100 [thread overview]
Message-ID: <87tywf4szb.fsf@basil.nowhere.org> (raw)
In-Reply-To: <1259310276-7782-2-git-send-email-tristan.ye@oracle.com> (Tristan Ye's message of "Fri, 27 Nov 2009 16:24:36 +0800")
Tristan Ye <tristan.ye@oracle.com> writes:
> +
> + /*
> + * The requests series from userspace need to be NULL-terminated.
> + */
> + do {
> + preq = *((POIR *)((char *)arg + i * sizeof(POIR)));
> + if (!preq)
> + break;
> + i++;
That's the first security leak. Can be used to probe arbitary memory.
You always need to use *_user for any user space access.
> +
> + } while (preq);
> +
> + num_reqs = i;
> +
> + reqs = kmalloc(sizeof(POIR) * num_reqs, GFP_KERNEL);
This is next root exploit. Think what happens when the user passes a very
large number for num_reqs that overflows the multiplication.
If anything use kcalloc(). And limit the maximum size.
It's unclear why you just can't use separate ioctls for each request.
-Andi
--
ak at linux.intel.com -- Speaking for myself only.
next prev parent reply other threads:[~2009-11-27 20:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-27 8:24 [Ocfs2-devel] [PATCH 1/2] Ocfs2: Add new ioctls prototype and corresponding data structure to ocfs2 header Tristan Ye
2009-11-27 8:24 ` [Ocfs2-devel] [PATCH 2/2] Ocfs2: Implement new OCFS2_IOC_INFO ioctl for ocfs2 Tristan Ye
2009-11-27 20:23 ` Andi Kleen [this message]
2009-11-28 2:49 ` Tristan
2009-11-30 9:36 ` Joel Becker
2009-11-30 23:49 ` Sunil Mushran
2009-12-01 1:25 ` Tristan
2009-12-02 0:16 ` Sunil Mushran
2009-12-01 3:20 ` Tristan
2009-12-02 0:35 ` Joel Becker
2009-12-02 2:29 ` Tristan
2009-12-02 18:28 ` Joel Becker
2009-11-30 22:57 ` [Ocfs2-devel] [PATCH 1/2] Ocfs2: Add new ioctls prototype and corresponding data structure to ocfs2 header Sunil Mushran
2009-12-01 1:15 ` Tristan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tywf4szb.fsf@basil.nowhere.org \
--to=andi@firstfloor.org \
--cc=ocfs2-devel@oss.oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.