lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120420220010.0fa29bee@pyramind.ukuu.org.uk>
Date:	Fri, 20 Apr 2012 22:00:10 +0100
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	Emil Goode <emilgoode@...il.com>
Cc:	gregkh@...uxfoundation.org, kernel-janitors@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drivers/tty: Use get_user instead of dereferencing user
 pointer

On Fri, 20 Apr 2012 17:52:34 +0200
Emil Goode <emilgoode@...il.com> wrote:

> We should use the get_user macro instead of dereferencing user
> pointers directly.
> 
> This patch fixes the following sparse warning:
> drivers/tty/n_tty.c:1648:51: warning:
> 	dereference of noderef expression
> 
> Signed-off-by: Emil Goode <emilgoode@...il.com>

So I gave it a five second glance and thought "must be a crazy newbie",
then I looked harder 8)

> I'm a newbie so please review carefully.
> Not sure if I should add error handling for the get_user call here.

You are correct, and it's been wrong for ages. You are also the first
person to my knowledge to actually dig into that sparse warning and fix
it!

>  		/* Turn single EOF into zero-length read */
>  		if (L_EXTPROC(tty) && tty->icanon && n == 1) {
> -			if (!tty->read_cnt && (*b)[n-1] == EOF_CHAR(tty))
> +			get_user(ch, b[n-1]);
> +			if (!tty->read_cnt && ch == EOF_CHAR(tty))
>  				n--;
>  		}

The real question is what this code should be doing. The only case it can
be triggered as far as I can see is:

User provides buffer one byte shorter than the size passed to the syscall
Data is copied and copy_to_user returns 1 byte uncopied
n ends up as one

At this point we can take this path. What I don't understand at this
point is what this code path is actually *supposed* to do.

I think it should be testing against the value of n before the n -=
retval, and also checking the data it copied *from* in kernel space, not
the user size. The user data might be changed by another thread.

First problem therefore is to figure out what this code is supposed to be
doing. However you are right that the code is incorrect, and if it was a
simple bug your fix would also be correct.

It's not simple however, so can anyone work out or remember wtf the code
should be doing ???

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ