| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Oct 2018 11:55:21 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: wang6495@....edu
Cc: kjlu@....edu, jpr@...bb.org, linux-hams@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] yam: fix a missing-check bug
From: Wenwen Wang <wang6495@....edu>
Date: Fri, 5 Oct 2018 10:59:36 -0500
> In yam_ioctl(), the concrete ioctl command is firstly copied from the
> user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
> following switch statement. If the command is not as expected, an error
> code EINVAL is returned. In the following execution the buffer
> 'ifr->ifr_data' is copied again in the cases of the switch statement to
> specific data structures according to what kind of ioctl command is
> requested. However, after the second copy, no re-check is enforced on the
> newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
> space, a malicious user can race to change the command between the two
> copies. This way, the attacker can inject inconsistent data and cause
> undefined behavior.
>
> This patch adds a re-check in each case of the switch statement if there is
> a second copy in that case, to re-check whether the command obtained in the
> second copy is the same as the one in the first copy. If not, an error code
> EINVAL will be returned.
>
> Signed-off-by: Wenwen Wang <wang6495@....edu>
Applied, thanks.
Powered by blists - more mailing lists