lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Mar 2013 20:50:03 +0100 From: Daniel Vetter <daniel.vetter@...ll.ch> To: Chris Wilson <chris@...is-wilson.co.uk>, Ben Widawsky <ben@...dawsk.net>, Tommi Rantala <tt.rantala@...il.com>, David Airlie <airlied@...ux.ie>, Daniel Vetter <daniel.vetter@...ll.ch>, intel-gfx@...ts.freedesktop.org, linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org, Dave Jones <davej@...hat.com> Subject: Re: [Intel-gfx] [PATCH] drm/i915: Sanity check incoming ioctl data for a NULL pointer On Sat, Mar 16, 2013 at 11:19 AM, Chris Wilson <chris@...is-wilson.co.uk> wrote: > On Fri, Mar 15, 2013 at 04:49:42PM -0700, Ben Widawsky wrote: >> On Fri, Mar 15, 2013 at 10:06:19PM +0000, Chris Wilson wrote: >> > On Fri, Mar 15, 2013 at 09:36:07AM -0700, Ben Widawsky wrote: >> > > On Fri, Mar 15, 2013 at 08:24:03AM +0000, Chris Wilson wrote: >> > > > That's what I thought too. Looking at the stack trace, the empirical >> > > > evidence is that we need the check. >> > > > -Chris >> > > >> > > I think we need to investigate the issue more then, or put a BUG_ON() in >> > > the drm code and run it through trinity. We have other places where arg >> > > can't/shouldn't be NULL and we don't check. >> > >> > Actually we are both wrong. drm_ioctl() does not validate that the >> > user struct matches the expected size, just ensures that if that user >> > cmd specifies that the arg is to be used that it only up to the known >> > size is copied. >> > >> > A hostile userspace can bludgen a NULL pointer through drm_ioctl() into >> > the driver->ioctl->func(). >> >> > > > + if (args == NULL) >> > > > + return -EINVAL; >> > > > + >> >> I must be failing to see the obvious, but I'm still not getting how args >> can ever be NULL. kdata which is passed to us as "data" and cast to >> "args' is either always some stack variable, or some kmalloc'd memory. I >> see how the arguments themselves can be crap which is really only when >> user size != drv_size. >> >> So tell me, which case can result in a NULL arg? >> 1. user size == drv_size // better not be this one >> 2. user size < driver size >> 3. user size > driver size >> >> It seems to me we still must [simply] be missing something in our >> parameter validation. > > If *userspace* doesn't request either IOC_IN | IOC_OUT in their ioctl > command (which are seperate from the ioctl number), then kdata is set to > NULL. Doesn't that mean that we need these checks everywhere? Or at least a fixup in drm core proper? And I think we need to add trinity to our test setup eventually ;-) -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists