lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 26 Jul 2014 10:24:32 +0200
From:	Guillaume CLÉMENT <gclement@...bob.org>
To:	Malcolm Priestley <tvboxspy@...il.com>
Cc:	Guillaume Clement <gclement@...bob.org>,
	Forest Bond <forest@...ttletooquiet.net>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	Dan Carpenter <dan.carpenter@...cle.com>
Subject: Re: [PATCH] staging: vt6655: fix direct dereferencing of user pointer

Hi Malcolm,

On Sat, Jul 26, 2014 at 12:09:49AM +0100, Malcolm Priestley wrote:
> Hi Guillaume
>
> On 25/07/14 13:47, Guillaume Clement wrote:
> > Sparse reported that the data from tagSCmdRequest is given by
> > userspace, so it should be tagged as such.
> extra is not in user space
>

All right.

This is still confusing to me because, taking the SIOCSIWGENIE ioctl as
an example, in device_main.c, we have this code:

rc = iwctl_siwgenie(dev, NULL, &(wrq->u.data), wrq->u.data.pointer);

Here the extra parameter is the last one, wrq->u.data.pointer.

I was led to believe that wrq->u.data.pointer is in userspace (this was
reported by sparse actually) because the pointer field in data is
actually defined as __user.


I can understand it's not though, if it was pre-processed by another
function. Or if that pointer was never given by userspace in the first
place (if so, why would it be inside a __user pointer) ?


> All Wireless Extensions ioctl extra calls originate from
> ioctl_standard_iw_point in wext-core.
>
> Either through ioctl or iw_handler

After digging into the code a bit more, I think that there may still be
an issue. Are we really going through ioctl_standard_iw_point in this
specific case ?

In the iwctl_handler definition, we have no handler because of:

   (iw_handler) NULL,                   // SIOCSIWGENIE


In the wireless_process_ioctl function, the returned handler should be
NULL if I understand correctly. I believe we're going through the "old
API" part with ndo_do_ioctl being called, which is consistent with the
fact that the code I showed earlier comes from that big switch in
device_ioctl in device_main.c.

This means we don't go to ioctl_standard_call, that would have called
ioctl_standard_iw_point, the function that should have done the
copy_from_user.

I didn't see a copy_from_user of the pointer field in the paths that I
think lead to device_ioctl in device_main.c.



Maybe the proper fix should have been to copy the content of
wrq->u.data.pointer to some buffer before calling iwctl_siwgenie, and
let this function not taking __user data?

This way, the driver is still ready to be converted to iw_handler
because it keeps the proper signature.


> All these functions should have been converted to iw_handler.

Yes certainly, but with no access to the real hardware for testing, I'd
rather not make deep changes like this for now.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists