| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20181225191621.69120-1-kjlu@umn.edu>
Date: Tue, 25 Dec 2018 13:16:21 -0600
From: Kangjie Lu <kjlu@....edu>
To: kjlu@....edu
Cc: pakki001@....edu, Jan Harkes <jaharkes@...cmu.edu>,
coda@...cmu.edu, codalist@...a.cs.cmu.edu,
linux-kernel@...r.kernel.org
Subject: [PATCH] fs: coda: fix a double-fetch case when copy data to req->uc_data
"hdr" has been copied in from user space and "hdr.opcode" is checked.
The code copies it again. User space data between the two copies is
subject to modification if the user-space code is multithreaded and
malicious. The modification may invalidate the check. The fix avoids
copying the header from user space again.
Signed-off-by: Kangjie Lu <kjlu@....edu>
---
fs/coda/psdev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
index fb4d1c654773..248d21f84b54 100644
--- a/fs/coda/psdev.c
+++ b/fs/coda/psdev.c
@@ -174,7 +174,10 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
hdr.opcode, hdr.unique);
nbytes = req->uc_outSize; /* don't have more space! */
}
- if (copy_from_user(req->uc_data, buf, nbytes)) {
+ *((struct coda_in_hdr *)req->uc_data) = hdr;
+ if (copy_from_user(req->uc_data + sizeof(hdr),
+ buf + sizeof(hdr),
+ nbytes - sizeof(hdr))) {
req->uc_flags |= CODA_REQ_ABORT;
wake_up(&req->uc_sleep);
retval = -EFAULT;
--
2.17.2 (Apple Git-113)
Powered by blists - more mailing lists