lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YNEU78BBWy2dS0Dq@google.com>
Date:   Mon, 21 Jun 2021 15:38:39 -0700
From:   Dmitry Torokhov <dmitry.torokhov@...il.com>
To:     Alexander Larkin <avlarkin82@...il.com>
Cc:     torvalds@...ux-foundation.org, dan.carpenter@...cle.com,
        linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
        murray.mcallister@...il.com, security@...nel.org
Subject: Re: [PATCH] Input: joydev - prevent potential write out of bounds in
 ioctl

Hi Alexander,

On Tue, Jun 22, 2021 at 12:32:15AM +0300, Alexander Larkin wrote:
> I'm still studying "git send-email", so the first intro part of prev msg deleted, sorry, again:
> 
> Continuying my previous message, the JSIOCGBTNMAP always returns 1024 return code,
> but not "amount of buttons" like I said before
> (that is probably the size of the keymap that is _u16 keymap[KEY_MAX - BTN_MISC + 1] ).
> Is it correct?
> Reading the line of kernel joydev.c
> 579	len = min_t(size_t, _IOC_SIZE(cmd), sizeof(joydev->keypam)),
> , why the min is always sizeof(joydev->keypam) ?
> If I try to call from the userspace
> ioctl(fd, JSIOCGBTNMAP, buttons)
> where the buttons is "__u16 buttons[5]", then still I get 1024.
> 
> Also I did userspace test (that shows how kernel overwrites (out of array bound) the userspace):
> 1. The buttons is "__u16 buttons[5]" in userspace,
> 2. buttons[5] = 1;
> 3. ioctl(fd, JSIOCGBTNMAP, buttons)
> 4. printf("new %i\n", buttons[5]),
> and the output is "new 0", so the value is being overwritten by kernel (so 1024 bytes copied
> to 10 bytes buffer).
> 
> It looks like I don't understand what is the expected value of the _IOC_SIZE(cmd),
> why not 10 for this read ioctl example? Is it possible to make this ioctl safe, so
> it doesn't copy more data than user can handle?

The definition of JSIOCGBTNMAP is:

#define JSIOCGBTNMAP _IOR('j', 0x34, __u16[KEY_MAX - BTN_MISC + 1])

so the size is encoded in the definition and userspace is supposed to
supply buffer of appropriate size. In your examples you are essentially
are lying to the kernel and say that the buffer size is KEY_MAX -
BTN_MISC + 1 words while in reality you only supply 10 bytes (5 words).

Maybe we should have defined (long time ago)

#define JSIOCGBTNMAP_LEN(len)	_IOC(_IOC_READ, 'j', 0x43, len)

to allow userspace better control over the buffer, but I consider joydev
interface obsolete and all new clients should be using evdev to get
events from input devices. so I am not sure if there is any benefit in
fixing joydev ioctls.

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ