| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Apr 2022 09:54:19 +0200
From: Johan Hovold <johan@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: kernel test robot <lkp@...el.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-usb@...r.kernel.org, stable@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] USB: serial: Fix heap overflow in WHITEHEAT_GET_DTR_RTS
On Mon, Apr 18, 2022 at 09:17:42PM -0700, Kees Cook wrote:
> This looks like it's harmless, as both the source and the destinations are
> currently the same allocation size (4 bytes) and don't use their padding,
> but if anything were to ever be added after the "mcr" member in "struct
> whiteheat_private", it would be overwritten. The structs both have a
> single u8 "mcr" member, but are 4 bytes in padded size. The memcpy()
> destination was explicitly targeting the u8 member (size 1) with the
> length of the whole structure (size 4), triggering the memcpy buffer
> overflow warning:
Ehh... No. The size of a structure with a single u8 is 1, not 4. There's
nothing wrong with the current code even if the use of memcpy for this
is a bit odd.
> In file included from include/linux/string.h:253,
> from include/linux/bitmap.h:11,
> from include/linux/cpumask.h:12,
> from include/linux/smp.h:13,
> from include/linux/lockdep.h:14,
> from include/linux/spinlock.h:62,
> from include/linux/mmzone.h:8,
> from include/linux/gfp.h:6,
> from include/linux/slab.h:15,
> from drivers/usb/serial/whiteheat.c:17:
> In function 'fortify_memcpy_chk',
> inlined from 'firm_send_command' at drivers/usb/serial/whiteheat.c:587:4:
> include/linux/fortify-string.h:328:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
> 328 | __write_overflow_field(p_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So something is confused here.
> Expand the memcpy() to the entire structure, though perhaps the correct
> solution is to mark all the USB command structures as "__packed".
Again no, why would you potentially overwrite the whole structure just to
update a single field? This is just wrong.
And the only structure that needs a __packed which doesn't have it
already is the unused struct whiteheat_dump.
> Reported-by: kernel test robot <lkp@...el.com>
> Link: https://lore.kernel.org/lkml/202204142318.vDqjjSFn-lkp@intel.com
> Cc: Johan Hovold <johan@...nel.org>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: linux-usb@...r.kernel.org
> Cc: stable@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> drivers/usb/serial/whiteheat.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
> index da65d14c9ed5..6e00498843fb 100644
> --- a/drivers/usb/serial/whiteheat.c
> +++ b/drivers/usb/serial/whiteheat.c
> @@ -584,7 +584,7 @@ static int firm_send_command(struct usb_serial_port *port, __u8 command,
> switch (command) {
> case WHITEHEAT_GET_DTR_RTS:
> info = usb_get_serial_port_data(port);
> - memcpy(&info->mcr, command_info->result_buffer,
> + memcpy(info, command_info->result_buffer,
> sizeof(struct whiteheat_dr_info));
> break;
> }
Johan
Powered by blists - more mailing lists