| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Oct 2018 11:47:35 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: wang6495@....edu
Cc: kjlu@....edu, santosh@...lsio.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: cxgb3_main: fix a missing-check bug
From: Wenwen Wang <wang6495@....edu>
Date: Fri, 5 Oct 2018 08:48:27 -0500
> In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
> the user-space buffer 'useraddr' to 'cmd' and checked through the
> switch statement. If the command is not as expected, an error code
> EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
> switch statement, the whole buffer of 'useraddr' is copied again to a
> specific data structure, according to what kind of command is requested.
> However, after the second copy, there is no re-check on the newly-copied
> command. Given that the buffer 'useraddr' is in the user space, a malicious
> user can race to change the command between the two copies. By doing so,
> the attacker can supply malicious data to the kernel and cause undefined
> behavior.
>
> This patch adds a re-check in each case of the switch statement if there is
> a second copy in that case, to re-check whether the command obtained in the
> second copy is the same as the one in the first copy. If not, an error code
> EINVAL is returned.
>
> Signed-off-by: Wenwen Wang <wang6495@....edu>
Applied.
Powered by blists - more mailing lists