lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sun, 27 Jul 2014 19:44:08 +0100
From:	Malcolm Priestley <tvboxspy@...il.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC:	Guillaume CLÉMENT <gclement@...bob.org>,
	devel@...verdev.osuosl.org,
	Forest Bond <forest@...ttletooquiet.net>,
	Dan Carpenter <dan.carpenter@...cle.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: vt6655: fix direct dereferencing of user pointer

On 27/07/14 19:21, Greg Kroah-Hartman wrote:
> On Sat, Jul 26, 2014 at 11:44:57AM +0100, Malcolm Priestley wrote:
>> On 26/07/14 10:18, Guillaume CLÉMENT wrote:
>>> On Sat, Jul 26, 2014 at 10:24:30AM +0200, Guillaume CLÉMENT wrote:
>>>> Hi Malcolm,
>>>>
>>>> On Sat, Jul 26, 2014 at 12:09:49AM +0100, Malcolm Priestley wrote:
>>>>> Hi Guillaume
>>>>>
>>>>> On 25/07/14 13:47, Guillaume Clement wrote:
>>>>>> Sparse reported that the data from tagSCmdRequest is given by
>>>>>> userspace, so it should be tagged as such.
>>>>> extra is not in user space
>>>>>
>>>>
>>>> All right.
>>>>
>>>> This is still confusing to me because, taking the SIOCSIWGENIE ioctl as
>>>> an example, in device_main.c, we have this code:
>>>>
>>>> rc = iwctl_siwgenie(dev, NULL, &(wrq->u.data), wrq->u.data.pointer);
>>>>
>>>> Here the extra parameter is the last one, wrq->u.data.pointer.
>>>>
>>>> I was led to believe that wrq->u.data.pointer is in userspace (this was
>>>> reported by sparse actually) because the pointer field in data is
>>>> actually defined as __user.
>>>>
>>>>
>>> By the way, the original code (before my patch) reads:
>>>
>>> 	if ((wrq->length < 2) || (extra[1]+2 != wrq->length)) {
>>> 		ret = -EINVAL;
>>> 		goto out;
>>> 	}
>>> 	if (wrq->length > MAX_WPA_IE_LEN) {
>>> 		ret = -ENOMEM;
>>> 		goto out;
>>> 	}
>>> 	memset(pMgmt->abyWPAIE, 0, MAX_WPA_IE_LEN);
>>> 	if (copy_from_user(pMgmt->abyWPAIE, extra, wrq->length)) {
>>> 		ret = -EFAULT;
>>> 		goto out;
>>> 	}
>>>
>>> Note extra[1] and later copy_from_user(x, extra, y).
>>>
>>> If extra is not in userspace, we should not call copy_from_user, and if
>>> it is, we should not dereference it. There is definitely something fishy
>>> here.
>>>
>>
>> I got it wrong when the iw_handler is not present a standard ioctl is called
>> extra is in userspace.
>>
>> Sorry for the noise.
>
> So this patch is acceptable?
>
Yes, this patch is okay.


> confused,
>
> greg k-h
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ