lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20090520151528.GA28322@us.ibm.com>
Date:	Wed, 20 May 2009 10:15:28 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	ashwin.ganti@...il.com
Cc:	gregkh@...e.de, lkml <linux-kernel@...r.kernel.org>
Subject: [PATCH staging] p9auth: prevent some oopses and memory leaks

Before all testcases, do:
	mknod /dev/caphash c 253 0
	mknod /dev/capuse c 253 1

This patch does the following:

1. caphash write of > CAP_NODE_SIZE bytes overruns node_ptr->data
	(test: cat /etc/mime.types > /dev/caphash)
2. make sure we don't dereference a NULL cap_devices[0].head
	(test: cat serge@...t@...b > /dev/capuse)
3. don't let strlen dereference a NULL target_user etc
	(test: echo ab > /dev/capuse)
4. Don't leak a bunch of memory in cap_write().  Note that
   technically node_ptr is not needed for the capuse write case.
   As a result I have a much more extensive patch splitting up
   cap_write(), but I thought a smaller patch that is easier to test
   and verify would be a better start.  To test:
	cnt=0
	while [ 1 ]; do
		echo /etc/mime.types > /dev/capuse
		if [ $((cnt%25)) -eq 0 ]; then
			head -2 /proc/meminfo
		fi
		cnt=$((cnt+1))
		sleep 0.3
	done
   Without this patch, it MemFree steadily drops.  With the patch,
   it does not.

I have *not* tested this driver (with or without these patches)
with factotum or anything - only using the tests described above.

Signed-off-by: Serge E. Hallyn <serue@...ibm.com>
---
 drivers/staging/p9auth/p9auth.c |   24 +++++++++++++++++++++++-
 1 files changed, 23 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/p9auth/p9auth.c b/drivers/staging/p9auth/p9auth.c
index 3cac89b..9111dcb 100644
--- a/drivers/staging/p9auth/p9auth.c
+++ b/drivers/staging/p9auth/p9auth.c
@@ -180,8 +180,12 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
 	if (down_interruptible(&dev->sem))
 		return -ERESTARTSYS;
 
+	user_buf_running = NULL;
+	hash_str = NULL;
 	node_ptr = kmalloc(sizeof(struct cap_node), GFP_KERNEL);
 	user_buf = kzalloc(count, GFP_KERNEL);
+	if (!node_ptr || !user_buf)
+		goto out;
 
 	if (copy_from_user(user_buf, buf, count)) {
 		retval = -EFAULT;
@@ -193,11 +197,21 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
 	 * hashed capability supplied by the user to the list of hashes
 	 */
 	if (0 == iminor(filp->f_dentry->d_inode)) {
+		if (count > CAP_NODE_SIZE) {
+			retval = -EINVAL;
+			goto out;
+		}
 		printk(KERN_INFO "Capability being written to /dev/caphash : \n");
 		hexdump(user_buf, count);
 		memcpy(node_ptr->data, user_buf, count);
 		list_add(&(node_ptr->list), &(dev->head->list));
+		node_ptr = NULL;
 	} else {
+		if (!cap_devices[0].head ||
+				list_empty(&(cap_devices[0].head->list))) {
+			retval = -EINVAL;
+			goto out;
+		}
 		/*
 		 * break the supplied string into tokens with @ as the
 		 * delimiter If the string is "user1@...r2@...domstring" we
@@ -208,6 +222,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
 		source_user = strsep(&user_buf_running, "@");
 		target_user = strsep(&user_buf_running, "@");
 		rand_str = strsep(&user_buf_running, "@");
+		if (!source_user || !target_user || !rand_str) {
+			retval = -EINVAL;
+			goto out;
+		}
 
 		/* hash the string user1@...r2 with rand_str as the key */
 		len = strlen(source_user) + strlen(target_user) + 1;
@@ -224,7 +242,7 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
 			retval = -EFAULT;
 			goto out;
 		}
-		memcpy(node_ptr->data, result, CAP_NODE_SIZE);
+		memcpy(node_ptr->data, result, CAP_NODE_SIZE);  /* why? */
 		/* Change the process's uid if the hash is present in the
 		 * list of hashes
 		 */
@@ -299,6 +317,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
 		dev->size = *f_pos;
 
 out:
+	kfree(node_ptr);
+	kfree(user_buf);
+	kfree(user_buf_running);
+	kfree(hash_str);
 	up(&dev->sem);
 	return retval;
 }
-- 
1.5.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ