From: Greg KH <gregkh@linuxfoundation.org>
To: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: jslaby@suse.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/tty: fix kernel address leaks in rp_ioctl
Date: Sat, 30 Mar 2019 19:45:50 +0100 [thread overview]
Message-ID: <20190330184550.GA22377@kroah.com> (raw)
In-Reply-To: <CABXRUiTTBDvVC9Z1uRTpmyNgoE2qPY8PXptAEP6nwQFeAFgE7A@mail.gmail.com>
On Sat, Mar 30, 2019 at 06:33:44PM +0800, Fuqian Huang wrote:
> The RCKP_GET_STRUCT case in rp_ioctl will copy a kernel
> pointer(info->port.ops) to user space. The info->port.ops points to a
> constant object 'rocket_port_ops' during the initialization. (init_r_port
> in drivers/tty/rocket.c:633)
>
> Add a function clear_pointer_fields to set the pointer fields of struct
> r_port to NULL before copy_to_user.
>
> Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
> Reported-by: Fuqian Huang <huangfq.daxian@gmail.com>
> --
> diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
> index b121d8f..28016e1 100644
> --- a/drivers/tty/rocket.c
> +++ b/drivers/tty/rocket.c
> @@ -1271,21 +1271,42 @@ static int get_version(struct r_port *info, struct
> rocket_version __user *retver
> return 0;
> }
>
> +static void clear_pointer_fields(struct r_port *old, struct r_port *new)
> +{
> + memcpy(new, old, sizeof (struct r_port));
> + new->port.tty = NULL;
> + new->port.itty = NULL;
> + new->port.ops = NULL;
> + new->port.client_ops = NULL;
> + memset(&new->port.open_wait.head, 0, sizeof(struct list_head));
> + memset(&new->port.delta_msr_wait.head, 0, sizeof(struct list_head));
> + memset(&new->port.mutex.wait_list, 0, sizeof(struct list_head));
> + memset(&new->port.buf_mutex.wait_list, 0, sizeof(struct list_head));
> + new->port.xmit_buf = NULL;
> + new->port.client_data = NULL;
> + new->ctlp = NULL;
> + new->xmit_buf = NULL;
> + memset(&new->write_mtx.wait_list, 0, sizeof(struct list_head));
> +}
> +
> /* IOCTL call handler into the driver */
> static int rp_ioctl(struct tty_struct *tty,
> unsigned int cmd, unsigned long arg)
> {
> struct r_port *info = tty->driver_data;
> + struct r_port *masked_info;
> void __user *argp = (void __user *)arg;
> int ret = 0;
>
> if (cmd != RCKP_GET_PORTS && rocket_paranoia_check(info, "rp_ioctl"))
> return -ENXIO;
> -
> switch (cmd) {
> case RCKP_GET_STRUCT:
> - if (copy_to_user(argp, info, sizeof (struct r_port)))
> + masked_info = kzalloc(sizeof (struct r_port), GFP_KERNEL);
> + clear_pointer_fields(info, masked_info);
> + if (copy_to_user(argp, masked_info, sizeof (struct r_port)))
> ret = -EFAULT;
> + kfree(masked_info);
> break;
> case RCKP_GET_CONFIG:
> ret = get_config(info, argp);
The patch is totally whitespace corrupted and can not be applied :(
You can not cut/paste in gmail when sending a patch.
Also, your change leaks memory on the error path :(
Please fix up and try again.
thanks,
greg k-h
parent reply other threads:[~2019-03-30 18:46 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <CABXRUiTTBDvVC9Z1uRTpmyNgoE2qPY8PXptAEP6nwQFeAFgE7A@mail.gmail.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330184550.GA22377@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=huangfq.daxian@gmail.com \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox