| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Nov 2009 09:38:21 -0800 (PST)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Jiri Kosina <jkosina@...e.cz>
cc: Michael Gilbert <michael.s.gilbert@...il.com>,
Michael Buesch <mb@...sch.de>, Jack Steiner <steiner@....com>,
linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: CVE-2009-2584
On Thu, 5 Nov 2009, Linus Torvalds wrote:
>
> Untested, of course. And since almost nobody has the hardware, so it's not
> like it's ever likely to _be_ tested.
>
> Linus
>
> ---
> drivers/misc/sgi-gru/gruprocfs.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
> index ccd4408..c0e17b0 100644
> --- a/drivers/misc/sgi-gru/gruprocfs.c
> +++ b/drivers/misc/sgi-gru/gruprocfs.c
> @@ -164,7 +164,9 @@ static ssize_t options_write(struct file *file, const char __user *userbuf,
> unsigned long val;
> char buf[80];
>
> - if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> + if (count >= sizeof(buf))
> + count = sizeof(buf)-1;
> + if (copy_from_user(buf, userbuf, count))
> return -EFAULT;
> buf[count - 1] = '\0';
And it's wrong. That 'count-1' was always wrong. It seems to _depend_ on
people doing things like
echo number > /proc/..
and the 'echo' adding a '\n' at the end, and then 'buf[count-1] = 0'
clearing away the '\n'.
Which is pointless, since '\n' at the end is the _one_ thing
strict_strtoul() accepts. And it's wrong, because it means that
echo -n number > /proc..
fails.
In other words, the whole function is utter sh*t as far as I can tell.
There's basically not a single correct line in the whole thing.
Even the 'strict_strtoul()' line is absolute and utter crap, since it
forces decimal numbers, but 'options_show()' will then show it as a hex
number (and a hex number is natural, since it's a set of flags). It also
doesn't actually return an error if you write some invalid value, and it's
totally pointless to have that 'val' temporary, since the strict_strtoul
function only writes the result if it is successful _anyway_.
The size of the buffer is also insane. Since the _only_ thing we will ever
accept is a number, there's no point in allowing all that many characters.
And silently ignoring the extra characters kind of makes the whole
'strict' part of 'strict_strtoul()' pointless.
So here's a second try. I guess the 'return count/-EFAULT' lines were
actually correct after all. So it wasn't _all_ buggy or insane.
Still entirely untested.
Linus
---
drivers/misc/sgi-gru/gruprocfs.c | 13 +++++++------
1 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
index ccd4408..762f179 100644
--- a/drivers/misc/sgi-gru/gruprocfs.c
+++ b/drivers/misc/sgi-gru/gruprocfs.c
@@ -161,14 +161,15 @@ static int options_show(struct seq_file *s, void *p)
static ssize_t options_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *data)
{
- unsigned long val;
- char buf[80];
+ char buf[16];
- if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
+ if (count >= sizeof(buf))
+ return -EINVAL;
+ if (copy_from_user(buf, userbuf, count))
return -EFAULT;
- buf[count - 1] = '\0';
- if (!strict_strtoul(buf, 10, &val))
- gru_options = val;
+ buf[count] = '\0';
+ if (strict_strtoul(buf, 0, &gru_options))
+ return -EINVAL;
return count;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists