lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Sep 2016 11:34:44 -0500
From:   David Lechner <david@...hnology.com>
To:     Jacek Anaszewski <j.anaszewski@...sung.com>,
        Pavel Machek <pavel@....cz>
Cc:     Richard Purdie <rpurdie@...ys.net>, linux-kernel@...r.kernel.org,
        linux-leds@...r.kernel.org, Marcel Holtmann <marcel@...tmann.org>
Subject: Re: [PATCH v3] leds: Introduce userspace leds driver

On 09/15/2016 09:54 AM, Jacek Anaszewski wrote:
> Hi Pavel,
>
> On 09/15/2016 03:08 PM, Pavel Machek wrote:
>> Hi!
>>
>>>> +    if (copy_from_user(&udev->user_dev, buffer,
>>>> +               sizeof(struct uleds_user_dev))) {
>>>> +        ret = -EFAULT;
>>>> +        goto out;
>>>> +    }
>>>> +
>>>> +    if (!udev->user_dev.name[0]) {
>>>> +        ret = -EINVAL;
>>>> +        goto out;
>>>> +    }
>>>> +
>>>> +    ret = led_classdev_register(NULL, &udev->led_cdev);
>>>> +    if (ret < 0)
>>>> +        goto out;
>>
>> No sanity checking on the name -> probably a security hole. Do not
>> push this upstream before this is fixed.
>

If this is a serious security issue, then you should also raise an issue 
with input maintainers because this is the extent of sanity checking for 
uinput device names as well.

I must confess that I am no security expert, so unless you can give 
specific examples of what potential threats are, I will not be able to 
guess what I need to do to fix it.

After some digging around the kernel, I don't see many instances of 
validating device node names. The best I have found so far comes from 
create_entry() in binfmt_misc.c

	if (!e->name[0] ||
	    !strcmp(e->name, ".") ||
	    !strcmp(e->name, "..") ||
	    strchr(e->name, '/'))
		goto einval;

Would something like this be a sufficient sanity check? I suppose we 
could also check for non-printing characters, but I don't think ignoring 
them would be a security issue.


> Thanks for catching this.
>
> David, please check if the LED name sticks to the LED class
> device naming convention.
>
> And one thing that caught my eye only now - please use
> devm_led_classdev_register().
>
> For now I'm dropping the patch.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ