| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090308204535.8a2af3fa.akpm@linux-foundation.org>
Date: Sun, 8 Mar 2009 20:45:35 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Li Zefan <lizf@...fujitsu.com>
Cc: Arjan van de Ven <arjan@...radead.org>, adobriyan@...il.com,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
Karsten Keil <kkeil@...e.de>, Samuel Ortiz <samuel@...tiz.org>,
Chris Mason <chris.mason@...cle.com>,
Steven Whitehouse <swhiteho@...hat.com>,
Trond Myklebust <trond.myklebust@....uio.no>
Subject: Re: [PATCH -v2] memdup_user(): introduce
On Mon, 09 Mar 2009 11:30:18 +0800 Li Zefan <lizf@...fujitsu.com> wrote:
> Andrew Morton wrote:
> > On Mon, 09 Mar 2009 10:22:08 +0800 Li Zefan <lizf@...fujitsu.com> wrote:
> >
> >>>>> +EXPORT_SYMBOL(memdup_user);
> >>> Hi,
> >>>
> >>> I like the general idea of this a lot; it will make things much less
> >>> error prone (and we can add some sanity checks on "len" to catch the
> >>> standard security holes around copy_from_user usage). I'd even also
> >>> want a memdup_array() like thing in the style of calloc().
> >>>
> >>> However, I have two questions/suggestions for improvement:
> >>>
> >>> I would like to question the use of the gfp argument here;
> >>> copy_from_user sleeps, so you can't use GFP_ATOMIC anyway.
> >>> You can't use GFP_NOFS etc, because the pagefault path will happily do
> >>> things that are equivalent, if not identical, to GFP_KERNEL.
> >>>
> >>> So the only value you can pass in correctly, as far as I can see, is
> >>> GFP_KERNEL. Am I wrong?
> >>>
> >> Right! I just dug and found a few kmalloc(GFP_ATOMIC/GFP_NOFS)+copy_from_user(),
> >> so we have one more reason to use this memdup_user().
> >
> > gack, those callsites are probably buggy. Where are they?
> >
>
> Yes, either buggy or should use GFP_KERNEL.
>
> All are in -mm only, except the first one:
>
> drivers/isdn/i4l/isdn_common.c:
> struct sk_buff *skb = alloc_skb(hl + len, GFP_ATOMIC);
> ...
> if (copy_from_user(skb_put(skb, len), buf, len)) {
Bug. Should be GFP_KERNEL, or copy_from_user() is incorrect in this
context.
>
> net/irda/af_irda.c:
> ias_opt = kmalloc(sizeof(struct irda_ias_set), GFP_ATOMIC);
> ...
> if (copy_from_user(ias_opt, optval, optlen)) {
Bug. Should be GFP_KERNEL, or copy_from_user() is incorrect in this
context.
>
> fs/btrfs/ioctl.c:
> vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS);
> ...
> if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
Bug. Should be GFP_KERNEL, or copy_from_user() is incorrect in this
context.
> > fs/ocfs2/dlm/dlmfs.c:
> lvb_buf = kmalloc(writelen, GFP_NOFS);
> ...
> bytes_left = copy_from_user(lvb_buf, buf, writelen);
Bug. Should be GFP_KERNEL, or copy_from_user() is incorrect in this
context.
>
> net/sunrpc/auth_gss/auth_gss.c:
> buf = kmalloc(mlen, GFP_NOFS);
> ...
> if (copy_from_user(buf, src, mlen))
Bug. Should be GFP_KERNEL, or copy_from_user() is incorrect in this
context.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists