lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 16 Sep 2016 07:50:15 +0200
From:   Pavel Machek <pavel@....cz>
To:     David Lechner <david@...hnology.com>
Cc:     Jacek Anaszewski <j.anaszewski@...sung.com>,
        Richard Purdie <rpurdie@...ys.net>,
        linux-kernel@...r.kernel.org, linux-leds@...r.kernel.org,
        Marcel Holtmann <marcel@...tmann.org>
Subject: Re: [PATCH v3] leds: Introduce userspace leds driver

Hi!

> >>>>+    if (copy_from_user(&udev->user_dev, buffer,
> >>>>+               sizeof(struct uleds_user_dev))) {
> >>>>+        ret = -EFAULT;
> >>>>+        goto out;
> >>>>+    }
> >>>>+
> >>>>+    if (!udev->user_dev.name[0]) {
> >>>>+        ret = -EINVAL;
> >>>>+        goto out;
> >>>>+    }
> >>>>+
> >>>>+    ret = led_classdev_register(NULL, &udev->led_cdev);
> >>>>+    if (ret < 0)
> >>>>+        goto out;
> >>
> >>No sanity checking on the name -> probably a security hole. Do not
> >>push this upstream before this is fixed.
> >
> 
> If this is a serious security issue, then you should also raise an issue
> with input maintainers because this is the extent of sanity checking for
> uinput device names as well.

I guess that should be fixed. But lets not add new ones.

> I must confess that I am no security expert, so unless you can give specific
> examples of what potential threats are, I will not be able to guess what I
> need to do to fix it.
> 
> After some digging around the kernel, I don't see many instances of
> validating device node names. The best I have found so far comes from
> create_entry() in binfmt_misc.c
> 
> 	if (!e->name[0] ||
> 	    !strcmp(e->name, ".") ||
> 	    !strcmp(e->name, "..") ||
> 	    strchr(e->name, '/'))
> 		goto einval;
> 
> Would something like this be a sufficient sanity check? I suppose we could
> also check for non-printing characters, but I don't think ignoring them
> would be a security issue.

That would be minimum, yes. I guess it would be better/easier to just
limit the names to [a-zA-Z:-_0-9]*?

Thanks,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Powered by blists - more mailing lists