Re: [PATCH] ipvs: Add boundary check on ioctl arguments

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Arjan van de Ven <arjan@infradead.org>
To: Hannes Eder <heder@google.com>
Cc: Wensong Zhang <wensong@linux-vs.org>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Simon Horman <horms@verge.net.au>
Subject: Re: [PATCH] ipvs: Add boundary check on ioctl arguments
Date: Wed, 30 Sep 2009 17:18:33 +0200	[thread overview]
Message-ID: <20090930171833.5ce0011d@infradead.org> (raw)
In-Reply-To: <4AC35F44.60707@google.com>

On Wed, 30 Sep 2009 15:38:12 +0200
Hannes Eder <heder@google.com> wrote:
>  > @@ -2353,17 +2357,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd,
>  > void __user 
> *user, int *len)
>  >  {
>  >  	unsigned char arg[128];
> 
> can MAX_ARG_LEN be used here?

I am not convinced... it is a different numerical value,
so it could be an ABI change. Rather not do that in this
type of patch...

>  > +	copylen = get_arglen[GET_CMDID(cmd)];
>  > +	if (copylen > 128)
> 
> I think it's better to use 'copylen > sizeof(arg)' here.

fair enough; updated patch below

>From 28ae217858e683c0c94c02219d46a9a9c87f61c6 Mon Sep 17 00:00:00 2001
From: Arjan van de Ven <arjan@linux.intel.com>
Date: Wed, 30 Sep 2009 13:05:51 +0200
Subject: [PATCH] ipvs: Add boundary check on ioctl arguments

The ipvs code has a nifty system for doing the size of ioctl command copies;
it defines an array with values into which it indexes the cmd to find the
right length.

Unfortunately, the ipvs code forgot to check if the cmd was in the range
that the array provides, allowing for an index outside of the array,
which then gives a "garbage" result into the length, which then gets
used for copying into a stack buffer.

Fix this by adding sanity checks on these as well as the copy size.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
---
 net/netfilter/ipvs/ip_vs_ctl.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index ac624e5..7adc876 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
+	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX + 1)
+		return -EINVAL;
+	if (len < 0 || len >  sizeof(arg))
+		return -EINVAL;
 	if (len != set_arglen[SET_CMDID(cmd)]) {
 		pr_err("set_ctl: len %u != %u\n",
 		       len, set_arglen[SET_CMDID(cmd)]);
@@ -2353,17 +2357,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
 	unsigned char arg[128];
 	int ret = 0;
+	unsigned int copylen;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
+	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX + 1)
+		return -EINVAL;
+
 	if (*len < get_arglen[GET_CMDID(cmd)]) {
 		pr_err("get_ctl: len %u < %u\n",
 		       *len, get_arglen[GET_CMDID(cmd)]);
 		return -EINVAL;
 	}
 
-	if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
+	copylen = get_arglen[GET_CMDID(cmd)];
+	if (copylen > sizeof(arg))
+		return -EINVAL;
+
+	if (copy_from_user(arg, user, copylen) != 0)
 		return -EFAULT;
 
 	if (mutex_lock_interruptible(&__ip_vs_mutex))
-- 
1.6.2.5



-- 
Arjan van de Ven 	Intel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

next prev parent reply	other threads:[~2009-09-30 15:18 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-30 11:11 [PATCH] ipvs: Add boundary check on ioctl arguments Arjan van de Ven
2009-09-30 13:38 ` Hannes Eder
2009-09-30 15:18   ` Arjan van de Ven [this message]
2009-09-30 15:33     ` Hannes Eder
2009-09-30 19:41     ` Julian Anastasov
2009-10-01  7:22       ` Arjan van de Ven
2009-10-02  8:35     ` Julian Anastasov
2009-12-15  6:17 ` Arjan van de Ven
2009-12-15  6:32   ` Simon Horman
2009-12-24  4:16     ` Simon Horman
  -- strict thread matches above, loose matches on Subject: below --
2009-12-29  1:58 Simon Horman
2010-01-04 13:59 ` Patrick McHardy
2010-01-04 15:34   ` Arjan van de Ven
2010-01-04 15:39     ` Patrick McHardy
2010-01-04 23:25       ` Simon Horman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ac624e5 dfblob:7adc876 )
 OR (
bs:"ipvs: Add boundary check on ioctl arguments" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090930171833.5ce0011d@infradead.org \
    --to=arjan@infradead.org \
    --cc=heder@google.com \
    --cc=horms@verge.net.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=wensong@linux-vs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).