lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 11 Jun 2021 14:03:20 +0200
From:   Hans Verkuil <hverkuil-cisco@...all.nl>
To:     Arnd Bergmann <arnd@...nel.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>
Cc:     Arnd Bergmann <arnd@...db.de>,
        "Lad, Prabhakar" <prabhakar.csengg@...il.com>,
        Eduardo Valentin <edubezval@...il.com>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Vaibhav Gupta <vaibhavgupta40@...il.com>,
        Liu Shixin <liushixin2@...wei.com>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        linux-staging@...ts.linux.dev
Subject: Re: [PATCH v2 2/7] media: v4l2-core: explicitly clear ioctl input
 data

On 10/06/2021 23:43, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
> 
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
> 
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
>  drivers/media/v4l2-core/v4l2-ioctl.c | 51 ++++++++++++++++------------
>  1 file changed, 29 insertions(+), 22 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 58df927aec7e..bf5eb07296a5 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3122,12 +3122,23 @@ static int video_get_user(void __user *arg, void *parg,
>  
>  	if (cmd == real_cmd) {
>  		if (copy_from_user(parg, (void __user *)arg, n))
> -			err = -EFAULT;
> -	} else if (in_compat_syscall()) {
> -		err = v4l2_compat_get_user(arg, parg, cmd);
> -	} else {
> -		switch (cmd) {
> +			return -EFAULT;
> +
> +		/* zero out anything we don't copy from userspace */
> +		if (n < _IOC_SIZE(real_cmd))
> +			memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);

This should always happen, not just when cmd == real_cmd.

The comment is a bit misleading: besides zeroing what isn't copied from
userspace, it also zeroes copied fields based on INFO_FL_CLEAR_MASK.

With this change that no longer happens and v4l2-compliance starts complaining.

> +
> +		return 0;
> +	}
> +
> +	/* zero out whole buffer first to deal with missing emulation */
> +	memset(parg, 0, _IOC_SIZE(real_cmd));
> +
> +	if (in_compat_syscall())
> +		return v4l2_compat_get_user(arg, parg, cmd);
> +
>  #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
> +	switch (cmd) {
>  		case VIDIOC_QUERYBUF_TIME32:
>  		case VIDIOC_QBUF_TIME32:
>  		case VIDIOC_DQBUF_TIME32:

The 'case' statements need to be indented one tab less.

> @@ -3140,28 +3151,24 @@ static int video_get_user(void __user *arg, void *parg,
>  
>  			*vb = (struct v4l2_buffer) {
>  				.index		= vb32.index,
> -					.type		= vb32.type,
> -					.bytesused	= vb32.bytesused,
> -					.flags		= vb32.flags,
> -					.field		= vb32.field,
> -					.timestamp.tv_sec	= vb32.timestamp.tv_sec,
> -					.timestamp.tv_usec	= vb32.timestamp.tv_usec,
> -					.timecode	= vb32.timecode,
> -					.sequence	= vb32.sequence,
> -					.memory		= vb32.memory,
> -					.m.userptr	= vb32.m.userptr,
> -					.length		= vb32.length,
> -					.request_fd	= vb32.request_fd,
> +				.type		= vb32.type,
> +				.bytesused	= vb32.bytesused,
> +				.flags		= vb32.flags,
> +				.field		= vb32.field,
> +				.timestamp.tv_sec	= vb32.timestamp.tv_sec,
> +				.timestamp.tv_usec	= vb32.timestamp.tv_usec,
> +				.timecode	= vb32.timecode,
> +				.sequence	= vb32.sequence,
> +				.memory		= vb32.memory,
> +				.m.userptr	= vb32.m.userptr,
> +				.length		= vb32.length,
> +				.request_fd	= vb32.request_fd,

Can you put these whitespace changes in a separate patch?

>  			};
>  			break;
>  		}
> -#endif
> -		}
>  	}
> +#endif
>  
> -	/* zero out anything we don't copy from userspace */
> -	if (!err && n < _IOC_SIZE(real_cmd))
> -		memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
>  	return err;
>  }
>  
> 

I ended up with this code, and then my tests passed:

       if (cmd == real_cmd) {
                if (copy_from_user(parg, (void __user *)arg, n))
                        return -EFAULT;
        } else if (in_compat_syscall()) {
                memset(parg, 0, n);
                err = v4l2_compat_get_user(arg, parg, cmd);
        } else {
#if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
                memset(parg, 0, n);
                switch (cmd) {
                case VIDIOC_QUERYBUF_TIME32:
                case VIDIOC_QBUF_TIME32:
                case VIDIOC_DQBUF_TIME32:
                case VIDIOC_PREPARE_BUF_TIME32: {
                        struct v4l2_buffer_time32 vb32;
                        struct v4l2_buffer *vb = parg;

                        if (copy_from_user(&vb32, arg, sizeof(vb32)))
                                return -EFAULT;

                        *vb = (struct v4l2_buffer) {
                                .index          = vb32.index,
                                        .type           = vb32.type,
                                        .bytesused      = vb32.bytesused,
                                        .flags          = vb32.flags,
                                        .field          = vb32.field,
                                        .timestamp.tv_sec       = vb32.timestamp.tv_sec,
                                        .timestamp.tv_usec      = vb32.timestamp.tv_usec,
                                        .timecode       = vb32.timecode,
                                        .sequence       = vb32.sequence,
                                        .memory         = vb32.memory,
                                        .m.userptr      = vb32.m.userptr,
                                        .length         = vb32.length,
                                        .request_fd     = vb32.request_fd,
                        };
                        break;
                }
                }
#endif
        }

        /* zero out anything we don't copy from userspace */
        if (!err && n < _IOC_SIZE(real_cmd))
                memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);

        return err;


That said, I also ran the regression tests on a i686 VM, and there I got a
bunch of failures, but that was *without* your patches, so I think something
unrelated broke. I'll have to dig more into this in the next few days.

But I wanted to get this out first, since this patch is clearly wrong.

Regards,

	Hans

Powered by blists - more mailing lists