| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 03 Oct 2018 10:56:40 +0300
From: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
To: Wenwen Wang <wang6495@....edu>, Wenwen Wang <wang6495@....edu>
Cc: Kangjie Lu <kjlu@....edu>, open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] stm class: fix a missing-check bug
Wenwen Wang <wang6495@....edu> writes:
> In stm_char_policy_set_ioctl(), the 'size' field of the struct
> 'stp_polic_id' is firstly copied from the user space and then checked,
> because the length of the 'id' field in this struct, which represents an
> identification string, is not fixed. If the 'size' field cannot pass the
> check, an error code EINVAL will be returned. However, after the check, the
> whole struct is copied again from the user space. Given that the user data
> resides in the user space, a malicious user-space process can race to
> change the size between the two copies. By doing so, the attacker can
> bypass the check on the 'size' field and inject malicious data.
How? The id->size is not used for anything.
And even if there was a problem, this:
> - if (copy_from_user(id, arg, size)) {
> + if (copy_from_user(&id->master, (char __user *)arg + sizeof(size),
> + size - sizeof(size))) {
is completely pointless.
> ret = -EFAULT;
> goto err_free;
> }
>
> + id->size = size;
So, if we did use id->size after the copying, we'd indeed have this line
in the code. But since we don't, it's also pointless, so it's not there.
Thanks,
--
Alex
Powered by blists - more mailing lists