| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Aug 2021 08:12:27 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Peter Collingbourne' <pcc@...gle.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Colin Ian King <colin.king@...onical.com>,
Cong Wang <cong.wang@...edance.com>,
Al Viro <viro@...iv.linux.org.uk>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] net: don't unconditionally copy_from_user a struct ifreq
for socket ioctls
From: Peter Collingbourne
> Sent: 26 August 2021 02:27
>
> A common implementation of isatty(3) involves calling a ioctl passing
> a dummy struct argument and checking whether the syscall failed --
> bionic and glibc use TCGETS (passing a struct termios), and musl uses
> TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
> copy sizeof(struct ifreq) bytes of data from the argument and return
> -EFAULT if that fails. The result is that the isatty implementations
> may return a non-POSIX-compliant value in errno in the case where part
> of the dummy struct argument is inaccessible, as both struct termios
> and struct winsize are smaller than struct ifreq (at least on arm64).
>
> Although there is usually enough stack space following the argument
> on the stack that this did not present a practical problem up to now,
> with MTE stack instrumentation it's more likely for the copy to fail,
> as the memory following the struct may have a different tag.
>
> Fix the problem by adding an early check for whether the ioctl is a
> valid socket ioctl, and return -ENOTTY if it isn't.
..
> +bool is_dev_ioctl_cmd(unsigned int cmd)
> +{
> + switch (cmd) {
> + case SIOCGIFNAME:
> + case SIOCGIFHWADDR:
> + case SIOCGIFFLAGS:
> + case SIOCGIFMETRIC:
> + case SIOCGIFMTU:
> + case SIOCGIFSLAVE:
> + case SIOCGIFMAP:
> + case SIOCGIFINDEX:
> + case SIOCGIFTXQLEN:
> + case SIOCETHTOOL:
> + case SIOCGMIIPHY:
> + case SIOCGMIIREG:
> + case SIOCSIFNAME:
> + case SIOCSIFMAP:
> + case SIOCSIFTXQLEN:
> + case SIOCSIFFLAGS:
> + case SIOCSIFMETRIC:
> + case SIOCSIFMTU:
> + case SIOCSIFHWADDR:
> + case SIOCSIFSLAVE:
> + case SIOCADDMULTI:
> + case SIOCDELMULTI:
> + case SIOCSIFHWBROADCAST:
> + case SIOCSMIIREG:
> + case SIOCBONDENSLAVE:
> + case SIOCBONDRELEASE:
> + case SIOCBONDSETHWADDR:
> + case SIOCBONDCHANGEACTIVE:
> + case SIOCBRADDIF:
> + case SIOCBRDELIF:
> + case SIOCSHWTSTAMP:
> + case SIOCBONDSLAVEINFOQUERY:
> + case SIOCBONDINFOQUERY:
> + case SIOCGIFMEM:
> + case SIOCSIFMEM:
> + case SIOCSIFLINK:
> + case SIOCWANDEV:
> + case SIOCGHWTSTAMP:
> + return true;
That is horrid.
Can't you at least use _IOC_TYPE() to check for socket ioctls.
Clearly it can succeed for 'random' driver ioctls, but will fail
for the tty ones.
The other sane thing is to check _IOC_SIZE().
Since all the SIOCxxxx have a correct _IOC_SIZE() that can be
used to check the user copy length.
(Unlike socket options the correct length is always supplied.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists