| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140726082429.GA3121@pleinair.baobob.org> Date: Sat, 26 Jul 2014 10:24:32 +0200 From: Guillaume CLÉMENT <gclement@...bob.org> To: Malcolm Priestley <tvboxspy@...il.com> Cc: Guillaume Clement <gclement@...bob.org>, Forest Bond <forest@...ttletooquiet.net>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com> Subject: Re: [PATCH] staging: vt6655: fix direct dereferencing of user pointer Hi Malcolm, On Sat, Jul 26, 2014 at 12:09:49AM +0100, Malcolm Priestley wrote: > Hi Guillaume > > On 25/07/14 13:47, Guillaume Clement wrote: > > Sparse reported that the data from tagSCmdRequest is given by > > userspace, so it should be tagged as such. > extra is not in user space > All right. This is still confusing to me because, taking the SIOCSIWGENIE ioctl as an example, in device_main.c, we have this code: rc = iwctl_siwgenie(dev, NULL, &(wrq->u.data), wrq->u.data.pointer); Here the extra parameter is the last one, wrq->u.data.pointer. I was led to believe that wrq->u.data.pointer is in userspace (this was reported by sparse actually) because the pointer field in data is actually defined as __user. I can understand it's not though, if it was pre-processed by another function. Or if that pointer was never given by userspace in the first place (if so, why would it be inside a __user pointer) ? > All Wireless Extensions ioctl extra calls originate from > ioctl_standard_iw_point in wext-core. > > Either through ioctl or iw_handler After digging into the code a bit more, I think that there may still be an issue. Are we really going through ioctl_standard_iw_point in this specific case ? In the iwctl_handler definition, we have no handler because of: (iw_handler) NULL, // SIOCSIWGENIE In the wireless_process_ioctl function, the returned handler should be NULL if I understand correctly. I believe we're going through the "old API" part with ndo_do_ioctl being called, which is consistent with the fact that the code I showed earlier comes from that big switch in device_ioctl in device_main.c. This means we don't go to ioctl_standard_call, that would have called ioctl_standard_iw_point, the function that should have done the copy_from_user. I didn't see a copy_from_user of the pointer field in the paths that I think lead to device_ioctl in device_main.c. Maybe the proper fix should have been to copy the content of wrq->u.data.pointer to some buffer before calling iwctl_siwgenie, and let this function not taking __user data? This way, the driver is still ready to be converted to iw_handler because it keeps the proper signature. > All these functions should have been converted to iw_handler. Yes certainly, but with no access to the real hardware for testing, I'd rather not make deep changes like this for now. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists