From: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
To: Bryan Fulton <bryan@coverity.com>
Cc: linux-kernel@vger.kernel.org, jaharkes@cs.cmu.edu,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Andrew Morton <akpm@osdl.org>,
acme@conectiva.com.br, davem@redhat.com, kas@fi.muni.cz,
nathans@sgi.com
Subject: Re: [Coverity] Untrusted user data in kernel
Date: Wed, 5 Jan 2005 10:04:23 -0200 [thread overview]
Message-ID: <20050105120423.GA13662@logos.cnet> (raw)
In-Reply-To: <1103247211.3071.74.camel@localhost.localdomain>
[-- Attachment #1: Type: text/plain, Size: 6556 bytes --]
Hi Bryan,
First of all, thanks very much for this effort.
Davem: Please check the networking ones, there are several.
On Thu, Dec 16, 2004 at 05:33:32PM -0800, Bryan Fulton wrote:
> Hi, recently we ran a security checker over linux and discovered some
> flaws in the Linux 2.6.9 kernel. I've inserted into this post a few
> examples of what we found. These functions copy in user data
> (copy_from_user) and use it as an array index, loop bound or memory
> function argument without proper bounds checking.
>
> This posting just involves bugs in /fs, /net and /drivers/net. There
> will be more postings for similar flaws in the drivers, as well as
> network exploitable bugs and bugs in system calls.
We're anxious to see those.
> Some can be viewed as minor as they might involve directly passing an
> unsigned tainted scalar to kmalloc. I was under the impression that
> kmalloc has an implicit bounds check as it returns null if attempting to
> allocate >64kb (or at least it used to). Can someone confirm/disconfirm
> that?
On v2.6 the kmalloc limit is 128k for most machines.
!CONFIG_MMU allows up to 1Mb and CONFIG_LARGE_ALLOCS allows up to 32Mb, so better
not rely on kmalloc checking. ;)
> Suggestions for other security properties to check are welcome. We
> appreciate your feedback as a method to improve and expand our
> security checkers.
Please run the checker on v2.4.29-pre3.
Would be really nice if you could do it periodically say on each new kernel release (v2.6
and v2.4) or a monthly basis.
> Thanks,
> .:Bryan Fulton and Ted Unangst of Coverity, Inc.
>
> Quick location summary:
>
> /fs/coda/pioctl.c::coda_pioctl
> /fs/xfs/linux-2.6/xfs_ioctl.c::xfs_attrmulti_by_handle
> /net/ipv6/netfilter/ip6_tables.c::do_replace
> /net/bridge/br_ioctl.c::old_deviceless
> /net/rose/rose_route.c::rose_rt_ioctl
> /drivers/net/wan/sdla.c::sdla_xfer
>
> /////////////////////////////////////////////////////
> // 1: /fs/coda/pioctl.c::coda_pioctl //
> /////////////////////////////////////////////////////
> - tainted scalars (signed shorts) data->vi.in_size and data->vi.out_size
> are used to copy memory from and to user space
> - neither are properly upper/lower bounds checked (in_size only
> upper-bound checked, out_size only lower-bound checked)
<snip>
> TAINTED variable "((data)->vi).in_size" passed to tainted data sink
> "copy_from_user"
>
> 572 if ( copy_from_user((char*)inp + (long)inp->coda_ioctl.data,
> 573 data->vi.in, data->vi.in_size) ) {
> 574 error = -EINVAL;
> 575 goto exit;
> 576 }
>
> ...
>
> Checked lower bounds of signed scalar "((data)->vi).out_size" by
> "((outp)->coda_ioctl).len >
> ((data)->vi).out_size"
>
> 588 if (outp->coda_ioctl.len > data->vi.out_size) {
> 589 error = -EINVAL;
> 590 } else {
>
> TAINTED variable "((data)->vi).out_size" passed to tainted data sink
> "copy_to_user"
>
> 591 if (copy_to_user(data->vi.out,
> 592 (char *)outp +
> (long)outp->coda_ioctl.data,
> 593 data->vi.out_size)) {
> 594 error = -EFAULT;
> 595 goto exit;
> 596 }
Correct, fix for both v2.4 and v2.6 attached. Adds bound checking:
Jan Harkes, please check correctness so we can apply it.
--- linux-2.6.10-rc3/fs/coda/upcall.c.orig 2005-01-05 10:30:24.575445152 -0200
+++ linux-2.6.10-rc3/fs/coda/upcall.c 2005-01-05 10:30:26.623133856 -0200
@@ -550,10 +550,15 @@
UPARG(CODA_IOCTL);
/* build packet for Venus */
- if (data->vi.in_size > VC_MAXDATASIZE) {
+ if (data->vi.in_size > VC_MAXDATASIZE || data->vi.in_size < 0) {
error = -EINVAL;
goto exit;
- }
+ }
+
+ if (data->vi.out_size > VC_MAXDATASIZE || data->vi.out_size < 0) {
+ error = -EINVAL;
+ goto exit;
+ }
inp->coda_ioctl.VFid = *fid;
> ////////////////////////////////////////////////////////////////////
> // 2: /fs/xfs/linux-2.6/xfs_ioctl.c::xfs_attrmulti_by_handle //
> ////////////////////////////////////////////////////////////////////
XFS people, can you take care of this one please. Not a security threat,
protected under ADMIN caps.
> ////////////////////////////////////////////////////////
> // 3: /net/ipv6/netfilter/ip6_tables.c::do_replace //
> ////////////////////////////////////////////////////////
This one lacks bound checking as people discussed, but is not
a security threat since region is protected under NET_ADMIN caps.
> //////////////////////////////////////////////////
> // 4: /net/bridge/br_ioctl.c::old_deviceless //
> //////////////////////////////////////////////////
Lacks bound checking but is not a security threat since region
is protectedunder NET_ADMIN caps.
Something similar to this should do it. Not sure if "65535" is a
sane value, though.
--- br_ioctl.c.orig 2005-01-05 11:02:28.301994264 -0200
+++ br_ioctl.c 2005-01-05 11:02:30.552652112 -0200
@@ -324,6 +324,9 @@
int *indices;
int ret = 0;
+ if (args[2] > 65535)
+ return -EFAULT;
+
indices = kmalloc(args[2]*sizeof(int), GFP_KERNEL);
if (indices == NULL)
return -ENOMEM;
> //////////////////////////////////////////////////
> // 5: /net/rose/rose_route.c::rose_rt_ioctl //
> //////////////////////////////////////////////////
Not a security threat because requires NET_ADMIN caps.
Alan, Arnaldo, proper bound checking is required nevertheless.
Can you take a look at this please?
> //////////////////////////////////////////////
> // 6: /drivers/net/wan/sdla.c::sdla_xfer //
> //////////////////////////////////////////////
>
> - tainted signed scalar mem.len passed to kmalloc and memset (1206 and
> 1211, or 1220 and 1223). Possibly minor because of kmalloc's
> implicit size check
Protected by NET_ADMIN caps, but definately needs some bound checking.
Jan, I think SDLA_MAX_DATA is the correct bound to check for here, can
you confirm please?
--- linux-2.4.28.orig/drivers/net/wan/sdla.c 2004-12-31 15:21:16.000000000 -0200
+++ linux-2.4.28/drivers/net/wan/sdla.c 2005-01-05 11:23:15.089453760 -0200
@@ -1195,6 +1195,9 @@
if(copy_from_user(&mem, info, sizeof(mem)))
return -EFAULT;
+
+ if (mem.len > SDLA_MAX_DATA || mem.len < 0)
+ return -EFAULT;
if (read)
{
[-- Attachment #2: 24_coda.patch --]
[-- Type: text/plain, Size: 622 bytes --]
--- linux-2.4.28/fs/coda/upcall.c.orig 2005-01-05 10:33:55.427390784 -0200
+++ linux-2.4.28/fs/coda/upcall.c 2005-01-05 10:33:58.739887208 -0200
@@ -538,11 +538,16 @@
UPARG(CODA_IOCTL);
/* build packet for Venus */
- if (data->vi.in_size > VC_MAXDATASIZE) {
+ if (data->vi.in_size > VC_MAXDATASIZE || data->vi.in_size < 0) {
error = -EINVAL;
goto exit;
}
+ if (data->vi.out_size > VC_MAXDATASIZE || data->vi.out_size < 0) {
+ error = -EINVAL;
+ goto exit;
+ }
+
inp->coda_ioctl.VFid = *fid;
/* the cmd field was mutated by increasing its size field to
[-- Attachment #3: 26_coda.patch --]
[-- Type: text/plain, Size: 572 bytes --]
--- linux-2.6.10-rc3/fs/coda/upcall.c.orig 2005-01-05 10:30:24.575445152 -0200
+++ linux-2.6.10-rc3/fs/coda/upcall.c 2005-01-05 10:30:26.623133856 -0200
@@ -550,10 +550,15 @@
UPARG(CODA_IOCTL);
/* build packet for Venus */
- if (data->vi.in_size > VC_MAXDATASIZE) {
+ if (data->vi.in_size > VC_MAXDATASIZE || data->vi.in_size < 0) {
error = -EINVAL;
goto exit;
- }
+ }
+
+ if (data->vi.out_size > VC_MAXDATASIZE || data->vi.out_size < 0) {
+ error = -EINVAL;
+ goto exit;
+ }
inp->coda_ioctl.VFid = *fid;
next prev parent reply other threads:[~2005-01-05 14:38 UTC|newest]
Thread overview: 238+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-17 1:33 [Coverity] Untrusted user data in kernel Bryan Fulton
2004-12-17 5:15 ` James Morris
2004-12-17 5:25 ` Patrick McHardy
2004-12-17 6:45 ` James Morris
2004-12-17 13:18 ` Tomas Carnecky
2004-12-17 19:16 ` David S. Miller
2004-12-17 19:34 ` Tomas Carnecky
2004-12-17 19:30 ` David S. Miller
2004-12-17 15:47 ` Bill Davidsen
2004-12-17 16:11 ` linux-os
2004-12-17 16:31 ` Oliver Neukum
2004-12-17 18:37 ` Bill Davidsen
2004-12-17 19:18 ` Tomas Carnecky
2004-12-17 19:30 ` Oliver Neukum
2004-12-17 19:39 ` Tomas Carnecky
2004-12-18 1:42 ` Horst von Brand
2004-12-17 15:10 ` Pavel Machek
2004-12-17 15:38 ` James Morris
2005-01-05 12:04 ` Marcelo Tosatti [this message]
2005-01-05 15:09 ` Jan Harkes
2005-01-05 23:17 ` Nathan Scott
[not found] ` <20050105161653.GF13455@fi.muni.cz>
[not found] ` <20050105140549.GA14622@logos.cnet>
2005-01-06 9:18 ` Jan Kasprzak
2005-01-06 14:48 ` Paulo Marques
2005-01-06 16:29 ` Alan Cox
2005-01-07 21:49 ` [PATCH 2.4.29-pre3-bk4] fs/coda " Jan Harkes
2005-01-07 21:54 ` [PATCH 2.6.10-mm2] " Jan Harkes
-- strict thread matches above, loose matches on Subject: below --
2004-12-02 0:04 What if? Imanpreet Singh Arora
2004-12-02 4:40 ` Theodore Ts'o
2004-12-02 6:39 ` Norbert van Nobelen
2004-12-02 8:24 ` James Bruce
2004-12-02 20:25 ` Theodore Ts'o
2004-12-03 2:23 ` David Schwartz
2004-12-02 8:33 ` J.A. Magallon
2004-12-02 10:46 ` Bernd Petrovitsch
2004-12-02 10:56 ` Pawel Sikora
2004-12-13 15:23 ` H. Peter Anvin
2004-12-13 21:08 ` J.A. Magallon
2004-12-16 0:57 ` Alan Cox
2004-12-16 2:44 ` H. Peter Anvin
2004-12-16 13:23 ` Alan Cox
2004-12-16 15:23 ` Geert Uytterhoeven
2004-12-16 20:37 ` H. Peter Anvin
2004-12-16 20:52 ` Jan Engelhardt
2004-12-16 20:56 ` H. Peter Anvin
2004-12-16 21:08 ` Jan Engelhardt
2004-12-02 10:25 ` Jan Engelhardt
2004-12-05 0:23 ` Horst von Brand
2004-12-05 6:21 ` Kyle Moffett
2004-12-05 22:43 ` Horst von Brand
2004-12-06 17:27 ` linux-os
2004-12-06 18:52 ` Horst von Brand
2004-12-02 10:53 ` Bernd Petrovitsch
2004-12-11 8:52 ` Gábor Lénárt
2004-11-04 16:01 Linux-2.6.9 won't allow a write to a NTFS file-system linux-os
2004-11-04 16:48 ` Giuseppe Bilotta
2004-11-04 17:09 ` linux-os
2004-11-04 17:40 ` Giuseppe Bilotta
2004-11-04 17:46 ` Mathieu Segaud
2004-11-04 22:17 ` Anton Altaparmakov
2004-11-04 22:18 ` Anton Altaparmakov
2004-11-04 22:38 ` linux-os
2004-11-05 14:43 ` Rahul Karnik
2004-11-05 1:46 ` Horst von Brand
2004-11-05 12:41 ` linux-os
2004-10-18 22:45 Linux v2.6.9 Linus Torvalds
2004-10-18 23:27 ` Thomas Zehetbauer
2004-10-19 2:54 ` Eric W. Biederman
2004-10-19 16:55 ` Jesper Juhl
2004-10-19 14:36 ` Linux v2.6.9... (compile stats) John Cherry
2004-10-19 16:18 ` Matthew Dharm
2004-10-19 16:49 ` viro
2004-10-19 21:37 ` John Cherry
2004-10-20 22:11 ` John Cherry
2004-10-20 22:41 ` viro
2004-10-21 0:12 ` Linus Torvalds
2004-10-21 0:29 ` Jeff Garzik
2004-10-21 0:44 ` viro
2004-10-21 1:55 ` viro
2004-10-21 1:59 ` Jeff Garzik
2004-10-21 2:24 ` viro
2004-10-21 2:37 ` Jeff Garzik
2004-10-21 4:35 ` viro
2004-10-21 8:57 ` Jeff Garzik
2004-10-20 22:50 ` Dave Jones
2004-10-19 17:38 ` Linux v2.6.9 and GPL Buyout Jeff V. Merkey
2004-10-19 19:13 ` Russell King
2004-10-19 19:04 ` Jeff V. Merkey
2004-10-19 19:24 ` Kurt Wall
2004-10-19 19:12 ` Jeff V. Merkey
2004-10-19 20:01 ` Richard B. Johnson
2004-10-19 20:39 ` Matt Mackall
2004-10-20 0:06 ` Richard B. Johnson
2004-10-20 5:21 ` Matt Mackall
2004-10-19 19:28 ` Andre Hedrick
2004-10-19 19:10 ` Jeff V. Merkey
2004-10-19 19:30 ` Rik van Riel
2004-10-19 19:05 ` Jeff V. Merkey
2004-10-19 20:14 ` Diego Calleja
2004-10-19 19:41 ` Jeff V. Merkey
2004-10-20 8:27 ` Bernd Petrovitsch
2004-10-20 8:45 ` Jens Axboe
2004-10-19 19:47 ` Jeff V. Merkey
2004-10-19 20:05 ` Richard B. Johnson
2004-10-19 19:38 ` Jeff V. Merkey
2004-10-19 20:30 ` Thomas Gleixner
2004-10-19 20:15 ` Jeff V. Merkey
2004-10-22 23:22 ` Tonnerre
2004-10-19 19:45 ` Ross Biro
2004-10-19 19:36 ` Jeff V. Merkey
2004-10-19 19:54 ` David Johnson
2004-10-19 19:55 ` viro
2004-10-19 19:25 ` Jeff V. Merkey
2004-10-19 20:38 ` Dax Kelson
2004-10-19 20:09 ` Jeff V. Merkey
2004-10-19 22:16 ` Jim Nelson
2004-10-19 22:57 ` Bernd Petrovitsch
2004-10-19 22:27 ` Scott Robert Ladd
2004-10-20 19:41 ` Bill Davidsen
2004-10-20 1:15 ` Horst von Brand
2004-10-20 1:16 ` Bastiaan Spandaw
2004-10-20 19:35 ` Bill Davidsen
2004-10-20 3:45 ` Ryan Anderson
2004-10-20 4:18 ` Lee Revell
2004-10-20 4:41 ` Lee Revell
2004-10-20 11:49 ` Richard B. Johnson
2004-10-29 12:12 ` Semaphore assembly-code bug linux-os
2004-10-29 14:46 ` Linus Torvalds
2004-10-29 15:11 ` Andi Kleen
2004-10-29 18:18 ` Linus Torvalds
2004-10-29 18:35 ` Richard Henderson
2004-10-29 16:06 ` Andreas Steinmetz
2004-10-29 17:08 ` linux-os
2004-10-29 18:06 ` Linus Torvalds
2004-10-29 18:39 ` linux-os
2004-10-29 19:12 ` Linus Torvalds
2004-11-01 1:31 ` linux-os
2004-11-01 5:49 ` Linus Torvalds
2004-11-01 20:23 ` dean gaudet
2004-11-01 20:52 ` linux-os
2004-11-01 21:23 ` dean gaudet
2004-11-01 22:22 ` linux-os
2004-11-01 21:40 ` Linus Torvalds
2004-11-01 21:46 ` Linus Torvalds
2004-11-02 15:02 ` linux-os
2004-11-02 16:02 ` Linus Torvalds
2004-11-02 16:06 ` Linus Torvalds
2004-11-02 16:51 ` linux-os
2004-11-01 22:16 ` linux-os
2004-11-01 22:26 ` Linus Torvalds
2004-11-01 23:14 ` linux-os
2004-11-01 23:42 ` Linus Torvalds
2004-11-03 1:52 ` Horst von Brand
2004-11-03 21:24 ` Bill Davidsen
2004-11-02 6:37 ` Chris Friesen
2004-10-29 18:58 ` Andreas Steinmetz
2004-10-29 19:15 ` Linus Torvalds
2004-10-29 19:40 ` Andreas Steinmetz
2004-10-29 19:56 ` Linus Torvalds
2004-10-29 22:07 ` Jeff Garzik
2004-10-29 23:50 ` dean gaudet
2004-10-30 0:15 ` Linus Torvalds
2004-10-29 23:37 ` dean gaudet
2004-10-29 17:22 ` linux-os
2004-10-29 17:55 ` Richard Henderson
2004-10-29 18:17 ` linux-os
2004-10-29 18:42 ` Linus Torvalds
2004-10-29 18:54 ` Linus Torvalds
2004-10-30 3:35 ` Jeff Garzik
2004-10-29 19:20 ` Linus Torvalds
2004-10-29 19:26 ` Linus Torvalds
2004-10-29 21:03 ` Linus Torvalds
2004-10-29 17:57 ` Richard Henderson
2004-10-29 18:37 ` Gabriel Paubert
2004-10-20 5:58 ` Linux v2.6.9 and GPL Buyout John Alvord
2004-10-20 14:42 ` Martin Waitz
2004-10-21 23:59 ` Kelledin
2004-10-22 8:46 ` Bernd Petrovitsch
2004-10-22 9:07 ` David Weinehall
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-22 17:52 ` Al Viro
2004-10-22 17:22 ` Jeff V. Merkey
2004-10-22 19:37 ` Jeff V. Merkey
2004-10-22 20:46 ` Grahame White
2004-10-22 20:58 ` Buddy Lucas
2004-10-22 21:00 ` Richard B. Johnson
2004-10-22 21:03 ` Thomas Gleixner
2004-10-23 12:33 ` Bernd Petrovitsch
2004-10-24 14:15 ` Kai Henningsen
2004-10-27 1:45 ` Horst von Brand
2004-10-24 11:00 ` Matthias Andree
2004-10-24 14:13 ` Kai Henningsen
2004-10-25 18:44 ` Bill Davidsen
2004-10-20 19:46 ` Bill Davidsen
2004-10-19 21:02 ` Pekka Pietikainen
2004-10-19 20:27 ` Jeff V. Merkey
2004-10-22 6:54 ` Erik Andersen
2004-10-22 16:12 ` Jeff V. Merkey
2004-10-19 21:17 ` Paul Fulghum
2004-10-20 20:41 ` Geert Uytterhoeven
2004-10-23 13:43 ` James Bruce
2004-10-19 21:26 ` Ramón Rey Vicente
2004-10-19 22:52 ` Buddy Lucas
2004-10-20 23:43 ` Eric Bambach
2004-10-20 23:48 ` Eric Bambach
2004-10-20 23:59 ` Hua Zhong
2004-10-21 0:13 ` Russell Miller
2004-10-21 0:18 ` Adam Heath
2004-10-21 10:16 ` Horst von Brand
2004-10-22 8:48 ` Ingo Molnar
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-23 0:14 ` Jon Masters
2004-10-22 23:46 ` Jeff V. Merkey
2004-10-23 0:57 ` Jon Masters
2004-10-23 4:42 ` Jeff V. Merkey
2004-10-23 6:32 ` Nick Piggin
[not found] ` <20041023064538.GA7866@galt.devicelogics.com>
2004-10-23 7:20 ` Jeff V. Merkey
2004-10-23 10:11 ` Gene Heskett
2004-10-23 16:28 ` Linus Torvalds
2004-10-24 2:48 ` Jesper Juhl
2004-10-24 5:11 ` Jeff V. Merkey
2004-10-24 11:14 ` Jon Masters
2004-10-24 11:50 ` Jim Nelson
2004-10-24 15:35 ` Ingo Molnar
2004-10-24 15:53 ` Bernd Petrovitsch
2004-10-31 23:14 ` Jan 'JaSan' Sarenik
2004-10-24 2:11 ` Buddy Lucas
2004-10-23 0:38 ` Lee Revell
2004-10-23 0:07 ` Jeff V. Merkey
2004-10-23 1:06 ` Lee Revell
2004-10-21 2:41 ` Linux v2.6.9 (Strange tty problem?) Paul
2004-10-21 9:07 ` Alan Cox
2004-10-21 12:39 ` Russell King
2004-10-21 13:20 ` Paul Fulghum
2004-10-21 15:37 ` Alan Cox
2004-10-21 17:00 ` Paul Fulghum
2004-10-21 15:47 ` Paul Fulghum
2004-10-21 18:12 ` Paul Fulghum
2004-10-31 21:11 ` Linux v2.6.9 dies when starting X on radeon 9200 SE PCI Helge Hafting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050105120423.GA13662@logos.cnet \
--to=marcelo.tosatti@cyclades.com \
--cc=acme@conectiva.com.br \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bryan@coverity.com \
--cc=davem@redhat.com \
--cc=jaharkes@cs.cmu.edu \
--cc=kas@fi.muni.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=nathans@sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).