From: Cyrill Gorcunov <gorcunov@gmail.com>
To: David Wagner <daw-news@cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: buffer overflow in /proc/sys/sunrpc/transports
Date: Sun, 31 Aug 2008 12:37:53 +0400 [thread overview]
Message-ID: <20080831083753.GA7391@lenovo> (raw)
In-Reply-To: <g9cj5n$tjv$1@taverner.cs.berkeley.edu>
[David Wagner - Sat, Aug 30, 2008 at 10:55:51PM +0000]
| Cyrill Gorcunov wrote:
| >Index: linux-2.6.git/net/sunrpc/sysctl.c
| >===================================================================
| >--- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-07-20 11:40:14.000000000 +0400
| >+++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-30 23:05:30.000000000 +0400
| >@@ -69,6 +69,8 @@ static int proc_do_xprt(ctl_table *table
| > return -EINVAL;
| > else {
| > len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
| >+ if (*lenp < len)
| >+ return -EFAULT;
| > if (!access_ok(VERIFY_WRITE, buffer, len))
| > return -EFAULT;
|
| 1. Would it be better to use copy_to_user() rather than
| access_ok() followed immediately by __copy_to_user()?
|
| 2. Is it OK to dereference *lenp directly? Is lenp a pointer into user
| memory or kernel memory? If it points to user memory, why is it safe to
| dereference it directly? (What about TOCTTOU bugs?) Should there be
| some sparse annotations here to ensure the code is not dereferencing
| user pointers directly? Later on, proc_do_xprt() also dereferences
| *lenp and *ppos directly.
Didn't check for this - will do.
|
| 3. 'len' is declared as a signed int. len will be converted to size_t
| before doing the comparison, so if len can ever be negative (e.g.,
| svc_print_xprts() returns -1 because of an error), this patch will do
| the wrong thing. Looks like the current definition of svc_print_xprts()
| won't ever do that, as that code currently stands, so at present this
| is not a bug. However from a security point of view there are benefits
| to code whose correctness is 'locally obvious', all else being equal.
| In particular this seems like a possible maintenance hazard. Would it be
| better to use type size_t for lengths like this that are never supposed
| to be negative?
|
| 4. Is proc_dostring() relevant here?
|
Yes David, I think proc_dostring is better candidate to use here, thanks!
- Cyrill -
next prev parent reply other threads:[~2008-08-31 8:38 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-30 18:44 buffer overflow in /proc/sys/sunrpc/transports Vegard Nossum
2008-08-30 19:06 ` Cyrill Gorcunov
2008-08-30 19:15 ` Vegard Nossum
2008-08-30 19:21 ` Cyrill Gorcunov
2008-08-30 19:23 ` Cyrill Gorcunov
2008-08-30 19:34 ` Vegard Nossum
2008-08-30 19:44 ` Cyrill Gorcunov
2008-08-30 19:42 ` Vegard Nossum
2008-08-30 19:45 ` Cyrill Gorcunov
2008-08-30 19:56 ` Cyrill Gorcunov
2008-08-30 19:59 ` Vegard Nossum
2008-08-30 20:04 ` Cyrill Gorcunov
2008-08-30 20:13 ` Vegard Nossum
2008-08-30 20:15 ` Cyrill Gorcunov
2008-08-30 20:29 ` Cyrill Gorcunov
2008-08-30 22:55 ` David Wagner
2008-08-31 8:37 ` Cyrill Gorcunov [this message]
2008-08-31 10:30 ` Cyrill Gorcunov
2008-08-31 10:37 ` Cyrill Gorcunov
2008-08-30 20:20 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080831083753.GA7391@lenovo \
--to=gorcunov@gmail.com \
--cc=daw-news@cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox