| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a59eeddd-34bb-6b84-06b3-9fb1934d447e@xs4all.nl>
Date: Fri, 11 Jun 2021 14:03:20 +0200
From: Hans Verkuil <hverkuil-cisco@...all.nl>
To: Arnd Bergmann <arnd@...nel.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>,
"Lad, Prabhakar" <prabhakar.csengg@...il.com>,
Eduardo Valentin <edubezval@...il.com>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Vaibhav Gupta <vaibhavgupta40@...il.com>,
Liu Shixin <liushixin2@...wei.com>,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Jacopo Mondi <jacopo+renesas@...ndi.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
linux-staging@...ts.linux.dev
Subject: Re: [PATCH v2 2/7] media: v4l2-core: explicitly clear ioctl input
data
On 10/06/2021 23:43, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
>
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
>
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
>
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 51 ++++++++++++++++------------
> 1 file changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 58df927aec7e..bf5eb07296a5 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3122,12 +3122,23 @@ static int video_get_user(void __user *arg, void *parg,
>
> if (cmd == real_cmd) {
> if (copy_from_user(parg, (void __user *)arg, n))
> - err = -EFAULT;
> - } else if (in_compat_syscall()) {
> - err = v4l2_compat_get_user(arg, parg, cmd);
> - } else {
> - switch (cmd) {
> + return -EFAULT;
> +
> + /* zero out anything we don't copy from userspace */
> + if (n < _IOC_SIZE(real_cmd))
> + memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
This should always happen, not just when cmd == real_cmd.
The comment is a bit misleading: besides zeroing what isn't copied from
userspace, it also zeroes copied fields based on INFO_FL_CLEAR_MASK.
With this change that no longer happens and v4l2-compliance starts complaining.
> +
> + return 0;
> + }
> +
> + /* zero out whole buffer first to deal with missing emulation */
> + memset(parg, 0, _IOC_SIZE(real_cmd));
> +
> + if (in_compat_syscall())
> + return v4l2_compat_get_user(arg, parg, cmd);
> +
> #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
> + switch (cmd) {
> case VIDIOC_QUERYBUF_TIME32:
> case VIDIOC_QBUF_TIME32:
> case VIDIOC_DQBUF_TIME32:
The 'case' statements need to be indented one tab less.
> @@ -3140,28 +3151,24 @@ static int video_get_user(void __user *arg, void *parg,
>
> *vb = (struct v4l2_buffer) {
> .index = vb32.index,
> - .type = vb32.type,
> - .bytesused = vb32.bytesused,
> - .flags = vb32.flags,
> - .field = vb32.field,
> - .timestamp.tv_sec = vb32.timestamp.tv_sec,
> - .timestamp.tv_usec = vb32.timestamp.tv_usec,
> - .timecode = vb32.timecode,
> - .sequence = vb32.sequence,
> - .memory = vb32.memory,
> - .m.userptr = vb32.m.userptr,
> - .length = vb32.length,
> - .request_fd = vb32.request_fd,
> + .type = vb32.type,
> + .bytesused = vb32.bytesused,
> + .flags = vb32.flags,
> + .field = vb32.field,
> + .timestamp.tv_sec = vb32.timestamp.tv_sec,
> + .timestamp.tv_usec = vb32.timestamp.tv_usec,
> + .timecode = vb32.timecode,
> + .sequence = vb32.sequence,
> + .memory = vb32.memory,
> + .m.userptr = vb32.m.userptr,
> + .length = vb32.length,
> + .request_fd = vb32.request_fd,
Can you put these whitespace changes in a separate patch?
> };
> break;
> }
> -#endif
> - }
> }
> +#endif
>
> - /* zero out anything we don't copy from userspace */
> - if (!err && n < _IOC_SIZE(real_cmd))
> - memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
> return err;
> }
>
>
I ended up with this code, and then my tests passed:
if (cmd == real_cmd) {
if (copy_from_user(parg, (void __user *)arg, n))
return -EFAULT;
} else if (in_compat_syscall()) {
memset(parg, 0, n);
err = v4l2_compat_get_user(arg, parg, cmd);
} else {
#if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
memset(parg, 0, n);
switch (cmd) {
case VIDIOC_QUERYBUF_TIME32:
case VIDIOC_QBUF_TIME32:
case VIDIOC_DQBUF_TIME32:
case VIDIOC_PREPARE_BUF_TIME32: {
struct v4l2_buffer_time32 vb32;
struct v4l2_buffer *vb = parg;
if (copy_from_user(&vb32, arg, sizeof(vb32)))
return -EFAULT;
*vb = (struct v4l2_buffer) {
.index = vb32.index,
.type = vb32.type,
.bytesused = vb32.bytesused,
.flags = vb32.flags,
.field = vb32.field,
.timestamp.tv_sec = vb32.timestamp.tv_sec,
.timestamp.tv_usec = vb32.timestamp.tv_usec,
.timecode = vb32.timecode,
.sequence = vb32.sequence,
.memory = vb32.memory,
.m.userptr = vb32.m.userptr,
.length = vb32.length,
.request_fd = vb32.request_fd,
};
break;
}
}
#endif
}
/* zero out anything we don't copy from userspace */
if (!err && n < _IOC_SIZE(real_cmd))
memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
return err;
That said, I also ran the regression tests on a i686 VM, and there I got a
bunch of failures, but that was *without* your patches, so I think something
unrelated broke. I'll have to dig more into this in the next few days.
But I wanted to get this out first, since this patch is clearly wrong.
Regards,
Hans
Powered by blists - more mailing lists