* a kernel address leak via copy_to_user in drivers/tty/rocket.c
@ 2019-03-30 7:05 Fuqian Huang
2019-03-30 7:14 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Fuqian Huang @ 2019-03-30 7:05 UTC (permalink / raw)
To: gregkh, jslaby, linux-kernel
Hi, recently I found that there is a kernel address leaks to user
space via copy_to_user in
drivers/tty/rocket.c:1287 (linux-5.0.5)
static int rp_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned
long arg) {
...
case RCKP_GET_STRUCT:
if (copy_to_user(argp, info, sizeof(struct r_port))
...
}
The `info` is a struct r_port. and the field `r_port.port.ops` is an
constant pointer,
and it points to a constant object `rocket_port_ops` during the initialization.
(function init_r_port) (drivers/tty/rocket.c:633)
patch suggestion:
set the pointer field to null before the copy to user call.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c 2019-03-30 7:05 a kernel address leak via copy_to_user in drivers/tty/rocket.c Fuqian Huang @ 2019-03-30 7:14 ` Greg KH 2019-03-30 8:02 ` Fuqian Huang 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2019-03-30 7:14 UTC (permalink / raw) To: Fuqian Huang; +Cc: jslaby, linux-kernel On Sat, Mar 30, 2019 at 03:05:11PM +0800, Fuqian Huang wrote: > Hi, recently I found that there is a kernel address leaks to user > space via copy_to_user in > drivers/tty/rocket.c:1287 (linux-5.0.5) > static int rp_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned > long arg) { > ... > case RCKP_GET_STRUCT: > if (copy_to_user(argp, info, sizeof(struct r_port)) > ... > } > The `info` is a struct r_port. and the field `r_port.port.ops` is an > constant pointer, > and it points to a constant object `rocket_port_ops` during the initialization. > (function init_r_port) (drivers/tty/rocket.c:633) > > patch suggestion: > set the pointer field to null before the copy to user call. Great, can you send a patch to fix this so that you get the proper credit for finding and resolving it? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c 2019-03-30 7:14 ` Greg KH @ 2019-03-30 8:02 ` Fuqian Huang 2019-03-30 8:11 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Fuqian Huang @ 2019-03-30 8:02 UTC (permalink / raw) To: Greg KH; +Cc: jslaby, linux-kernel I add a function to mask all pointer fields of struct r_port. (Other pointer fields may have a similar issue, so I set all pointer fields to NULL); The modified code is marked with ">" >1274 static void mask_pointer(struct r_port *info, struct r_port *masked_info) { >1275 memcpy(masked_info, info, sizeof (struct r_port)); >1276 masked_info->port.tty = NULL; >1277 masked_info->port.itty = NULL; >1278 masked_info->port.ops = NULL; >1279 masked_info->port.client_ops = NULL; >1280 memset(&masked_info->port.open_wait.head, 0, sizeof(struct list_head)); >1281 memset(&masked_info->port.delta_msr_wait.head, 0, sizeof(struct list_head)); >1282 memset(&masked_info->port.mutex.wait_list, 0, sizeof(struct list_head)); >1283 memset(&masked_info->port.buf_mutex.wait_list, 0, sizeof(struct list_head)); >1284 masked_info->port.xmit_buf = NULL; >1285 masked_info->port.client_data = NULL; >1286 masked_info->ctlp = NULL; >1287 masked_info->xmit_buf = NULL; >1288 memset(&masked_info->write_mtx.wait_list, 0, sizeof(struct list_head)); >1289 } 1290 1291 /* IOCTL call handler into the driver */ 1292 static int rp_ioctl(struct tty_struct *tty, 1293 unsigned int cmd, unsigned long arg) 1294 { 1295 struct r_port *info = tty->driver_data; >1296 struct r_port *masked_info; 1297 void __user *argp = (void __user *)arg; 1298 int ret = 0; 1299 1300 if (cmd != RCKP_GET_PORTS && rocket_paranoia_check(info, "rp_ioctl")) 1301 return -ENXIO; 1302 switch (cmd) { 1303 case RCKP_GET_STRUCT: >1304 masked_info = kzalloc(sizeof (struct r_port), GFP_KERNEL); >1305 mask_pointer(info, masked_info); >1306 if (copy_to_user(argp, masked_info, sizeof (struct r_port))) 1307 ret = -EFAULT; Greg KH <gregkh@linuxfoundation.org> 於 2019年3月30日週六 下午3:14寫道: > > On Sat, Mar 30, 2019 at 03:05:11PM +0800, Fuqian Huang wrote: > > Hi, recently I found that there is a kernel address leaks to user > > space via copy_to_user in > > drivers/tty/rocket.c:1287 (linux-5.0.5) > > static int rp_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned > > long arg) { > > ... > > case RCKP_GET_STRUCT: > > if (copy_to_user(argp, info, sizeof(struct r_port)) > > ... > > } > > The `info` is a struct r_port. and the field `r_port.port.ops` is an > > constant pointer, > > and it points to a constant object `rocket_port_ops` during the initialization. > > (function init_r_port) (drivers/tty/rocket.c:633) > > > > patch suggestion: > > set the pointer field to null before the copy to user call. > > Great, can you send a patch to fix this so that you get the proper > credit for finding and resolving it? > > thanks, > > greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c 2019-03-30 8:02 ` Fuqian Huang @ 2019-03-30 8:11 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2019-03-30 8:11 UTC (permalink / raw) To: Fuqian Huang; +Cc: jslaby, linux-kernel On Sat, Mar 30, 2019 at 04:02:38PM +0800, Fuqian Huang wrote: > I add a function to mask all pointer fields of struct r_port. (Other > pointer fields may have a similar issue, so I set all pointer fields > to NULL); > The modified code is marked with ">" > > >1274 static void mask_pointer(struct r_port *info, struct r_port *masked_info) { > >1275 memcpy(masked_info, info, sizeof (struct r_port)); > >1276 masked_info->port.tty = NULL; > >1277 masked_info->port.itty = NULL; > >1278 masked_info->port.ops = NULL; > >1279 masked_info->port.client_ops = NULL; > >1280 memset(&masked_info->port.open_wait.head, 0, sizeof(struct list_head)); > >1281 memset(&masked_info->port.delta_msr_wait.head, 0, sizeof(struct list_head)); > >1282 memset(&masked_info->port.mutex.wait_list, 0, sizeof(struct list_head)); > >1283 memset(&masked_info->port.buf_mutex.wait_list, 0, sizeof(struct list_head)); > >1284 masked_info->port.xmit_buf = NULL; > >1285 masked_info->port.client_data = NULL; > >1286 masked_info->ctlp = NULL; > >1287 masked_info->xmit_buf = NULL; > >1288 memset(&masked_info->write_mtx.wait_list, 0, sizeof(struct list_head)); > >1289 } > 1290 > 1291 /* IOCTL call handler into the driver */ > 1292 static int rp_ioctl(struct tty_struct *tty, > 1293 unsigned int cmd, unsigned long arg) > 1294 { > 1295 struct r_port *info = tty->driver_data; > >1296 struct r_port *masked_info; > 1297 void __user *argp = (void __user *)arg; > 1298 int ret = 0; > 1299 > 1300 if (cmd != RCKP_GET_PORTS && rocket_paranoia_check(info, "rp_ioctl")) > 1301 return -ENXIO; > 1302 switch (cmd) { > 1303 case RCKP_GET_STRUCT: > >1304 masked_info = kzalloc(sizeof (struct r_port), GFP_KERNEL); > >1305 mask_pointer(info, masked_info); > >1306 if (copy_to_user(argp, masked_info, sizeof (struct r_port))) > 1307 ret = -EFAULT; Please read Documentation/SubmittingPatches for the proper way to create and submit a patch such that we can apply it. thanks! greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-30 8:12 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-03-30 7:05 a kernel address leak via copy_to_user in drivers/tty/rocket.c Fuqian Huang 2019-03-30 7:14 ` Greg KH 2019-03-30 8:02 ` Fuqian Huang 2019-03-30 8:11 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox