Kexec Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
       [not found] <2024052106-CVE-2023-52823-3d81@gregkh>
@ 2024-05-24 10:02 ` Jiri Bohac
  2024-05-24 10:15   ` Greg Kroah-Hartman
  0 siblings, 1 reply; 6+ messages in thread
From: Jiri Bohac @ 2024-05-24 10:02 UTC (permalink / raw)
  To: cve, linux-kernel
  Cc: linux-cve-announce, Greg Kroah-Hartman, Eric Biederman, kexec

On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> kernel: kexec: copy user-array safely
> 
> Currently, there is no overflow-check with memdup_user().

This is false. 
Therefore, I'd like to dispute this CVE.

The overflow check is in the kexec_load_check()
function called shortly before the memdup_user() call:


	SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
			struct kexec_segment __user *, segments, unsigned long, flags)
	{
		result = kexec_load_check(nr_segments, flags);
		if (result)
			return result;
	...
		ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
	...
	}

	#define KEXEC_SEGMENT_MAX 16
	static inline int kexec_load_check(unsigned long nr_segments,
					   unsigned long flags)
	{
	...
		if (nr_segments > KEXEC_SEGMENT_MAX)
			return -EINVAL;
	}



Thanks,

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
  2024-05-24 10:02 ` CVE-2023-52823: kernel: kexec: copy user-array safely Jiri Bohac
@ 2024-05-24 10:15   ` Greg Kroah-Hartman
  2024-05-24 12:38     ` Jiri Bohac
  0 siblings, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-05-24 10:15 UTC (permalink / raw)
  To: Jiri Bohac; +Cc: cve, linux-kernel, linux-cve-announce, Eric Biederman, kexec

On Fri, May 24, 2024 at 12:02:10PM +0200, Jiri Bohac wrote:
> On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> > kernel: kexec: copy user-array safely
> > 
> > Currently, there is no overflow-check with memdup_user().
> 
> This is false. 
> Therefore, I'd like to dispute this CVE.
> 
> The overflow check is in the kexec_load_check()
> function called shortly before the memdup_user() call:
> 
> 
> 	SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
> 			struct kexec_segment __user *, segments, unsigned long, flags)
> 	{
> 		result = kexec_load_check(nr_segments, flags);
> 		if (result)
> 			return result;
> 	...
> 		ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
> 	...
> 	}
> 
> 	#define KEXEC_SEGMENT_MAX 16
> 	static inline int kexec_load_check(unsigned long nr_segments,
> 					   unsigned long flags)
> 	{
> 	...
> 		if (nr_segments > KEXEC_SEGMENT_MAX)
> 			return -EINVAL;
> 	}

Nice, but then why was this commit worded this way?  Now we check twice?
Double safe?  Should it be reverted?

I'll go revoke this, thanks for the review!

greg k-h

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
  2024-05-24 10:15   ` Greg Kroah-Hartman
@ 2024-05-24 12:38     ` Jiri Bohac
  2024-05-24 14:13       ` Jiri Bohac
  2024-05-24 15:26       ` Greg Kroah-Hartman
  0 siblings, 2 replies; 6+ messages in thread
From: Jiri Bohac @ 2024-05-24 12:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: cve, linux-kernel, linux-cve-announce, Eric Biederman, kexec

On Fri, May 24, 2024 at 12:15:47PM +0200, Greg Kroah-Hartman wrote:
> Nice, but then why was this commit worded this way?  Now we check twice?
> Double safe?  Should it be reverted?

double safe's good; turning it into a CVE not so much :(
CVE-2023-52822, CVE-2023-52824 and CVE-2023-52820, originally from the same patch
series, seem to be the exact same case.

CVE-2023-52822:

	int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
				     struct drm_file *file_priv)
	{
	...
		if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
		    num_sizes == 0)
			return -EINVAL;
	...
		metadata->num_sizes = num_sizes;
		metadata->sizes =
			memdup_user((struct drm_vmw_size __user *)(unsigned long)
				    req->size_addr,
				    sizeof(*metadata->sizes) * metadata->num_sizes);
	}

CVE-2023-52824 (here the check is in the immediately preceeding statement, could it
be any more obvious?):

	long watch_queue_set_filter(struct pipe_inode_info *pipe,
				    struct watch_notification_filter __user *_filter)
	{
		if (filter.nr_filters == 0 ||
		    filter.nr_filters > 16 ||
		    filter.__reserved != 0)
			return -EINVAL;

		tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
	}


CVE-2023-52820 is a little less obvious to be safe, but I believe it is:

	int drm_mode_create_lease_ioctl(struct drm_device *dev,
					void *data, struct drm_file *lessor_priv)
	{
	...
			object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
						 array_size(object_count, sizeof(__u32)));

	array_size() will safely multiply object_count * 4 and return SIZE_MAX on
	overflow, making the kmalloc inside memdup_user cleanly fail with -ENOMEM.


> I'll go revoke this, thanks for the review!

could you check and revoke all the above as well?

Thanks,

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
  2024-05-24 12:38     ` Jiri Bohac
@ 2024-05-24 14:13       ` Jiri Bohac
  2024-05-24 15:27         ` Greg Kroah-Hartman
  2024-05-24 15:26       ` Greg Kroah-Hartman
  1 sibling, 1 reply; 6+ messages in thread
From: Jiri Bohac @ 2024-05-24 14:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: cve, linux-kernel, linux-cve-announce, Eric Biederman, kexec

On Fri, May 24, 2024 at 02:38:04PM +0200, Jiri Bohac wrote:
> On Fri, May 24, 2024 at 12:15:47PM +0200, Greg Kroah-Hartman wrote:
> > Nice, but then why was this commit worded this way?  Now we check twice?
> > Double safe?  Should it be reverted?
> 
> double safe's good; turning it into a CVE not so much :(
> CVE-2023-52822, CVE-2023-52824 and CVE-2023-52820, originally from the same patch
> series, seem to be the exact same case.

Same thing: CVE-2023-52758


-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
  2024-05-24 12:38     ` Jiri Bohac
  2024-05-24 14:13       ` Jiri Bohac
@ 2024-05-24 15:26       ` Greg Kroah-Hartman
  1 sibling, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-05-24 15:26 UTC (permalink / raw)
  To: Jiri Bohac; +Cc: cve, linux-kernel, linux-cve-announce, Eric Biederman, kexec

On Fri, May 24, 2024 at 02:38:04PM +0200, Jiri Bohac wrote:
> On Fri, May 24, 2024 at 12:15:47PM +0200, Greg Kroah-Hartman wrote:
> > Nice, but then why was this commit worded this way?  Now we check twice?
> > Double safe?  Should it be reverted?
> 
> double safe's good; turning it into a CVE not so much :(
> CVE-2023-52822, CVE-2023-52824 and CVE-2023-52820, originally from the same patch
> series, seem to be the exact same case.
> 
> CVE-2023-52822:
> 
> 	int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> 				     struct drm_file *file_priv)
> 	{
> 	...
> 		if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
> 		    num_sizes == 0)
> 			return -EINVAL;
> 	...
> 		metadata->num_sizes = num_sizes;
> 		metadata->sizes =
> 			memdup_user((struct drm_vmw_size __user *)(unsigned long)
> 				    req->size_addr,
> 				    sizeof(*metadata->sizes) * metadata->num_sizes);
> 	}

Agreed, now rejected.

> CVE-2023-52824 (here the check is in the immediately preceeding statement, could it
> be any more obvious?):
> 
> 	long watch_queue_set_filter(struct pipe_inode_info *pipe,
> 				    struct watch_notification_filter __user *_filter)
> 	{
> 		if (filter.nr_filters == 0 ||
> 		    filter.nr_filters > 16 ||
> 		    filter.__reserved != 0)
> 			return -EINVAL;
> 
> 		tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
> 	}

Yup, now rejected.

> 
> 
> CVE-2023-52820 is a little less obvious to be safe, but I believe it is:
> 
> 	int drm_mode_create_lease_ioctl(struct drm_device *dev,
> 					void *data, struct drm_file *lessor_priv)
> 	{
> 	...
> 			object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
> 						 array_size(object_count, sizeof(__u32)));
> 
> 	array_size() will safely multiply object_count * 4 and return SIZE_MAX on
> 	overflow, making the kmalloc inside memdup_user cleanly fail with -ENOMEM.

Also agreed, now rejected.

thanks,

greg k-h

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: CVE-2023-52823: kernel: kexec: copy user-array safely
  2024-05-24 14:13       ` Jiri Bohac
@ 2024-05-24 15:27         ` Greg Kroah-Hartman
  0 siblings, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-05-24 15:27 UTC (permalink / raw)
  To: Jiri Bohac; +Cc: cve, linux-kernel, linux-cve-announce, Eric Biederman, kexec

On Fri, May 24, 2024 at 04:13:53PM +0200, Jiri Bohac wrote:
> On Fri, May 24, 2024 at 02:38:04PM +0200, Jiri Bohac wrote:
> > On Fri, May 24, 2024 at 12:15:47PM +0200, Greg Kroah-Hartman wrote:
> > > Nice, but then why was this commit worded this way?  Now we check twice?
> > > Double safe?  Should it be reverted?
> > 
> > double safe's good; turning it into a CVE not so much :(
> > CVE-2023-52822, CVE-2023-52824 and CVE-2023-52820, originally from the same patch
> > series, seem to be the exact same case.
> 
> Same thing: CVE-2023-52758

Agreed, now rejected, thanks for the review!

greg k-h

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-05-24 15:27 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <2024052106-CVE-2023-52823-3d81@gregkh>
2024-05-24 10:02 ` CVE-2023-52823: kernel: kexec: copy user-array safely Jiri Bohac
2024-05-24 10:15   ` Greg Kroah-Hartman
2024-05-24 12:38     ` Jiri Bohac
2024-05-24 14:13       ` Jiri Bohac
2024-05-24 15:27         ` Greg Kroah-Hartman
2024-05-24 15:26       ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox