lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKFNMok9WTV5uX3BBfr8eYiuJXvUY6TuYW=tQYvBzdCUYsxcwA@mail.gmail.com>
Date:   Sat, 4 Nov 2023 02:44:15 +0900
From:   Ryusuke Konishi <konishi.ryusuke@...il.com>
To:     Philipp Stanner <pstanner@...hat.com>
Cc:     linux-nilfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        Dave Airlie <airlied@...hat.com>
Subject: Re: [PATCH] fs/nilfs2: copy userspace-array safely

On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote:
>
> ioctl.c utilizes memdup_user() to copy a userspace array. This is done
> without an overflow-check.
>
> Use the new wrapper memdup_array_user() to copy the array more safely.
>
> Suggested-by: Dave Airlie <airlied@...hat.com>
> Signed-off-by: Philipp Stanner <pstanner@...hat.com>
> ---
> Linus recently merged this new wrapper for Kernel v6.7

The following overflow check is performed just before the usage of
memdup_user():

        if (nsegs > UINT_MAX / sizeof(__u64))
                goto out;

This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid
overflowing segment numbers in nilfs_ioctl_clean_segments()") to avoid
overflowing nsegs * sizeof(__u64) in the subsequent call to
memdup_user().

I learned about memdup_array_user() this time, and it seems to check
for overflow when multiplying two size_t arguments (i.e. the number of
elements and size of the array to be copied).

Since size_t is 32-bit or 64-bit depending on the architecture, I
think the overflow check that memdup_array_user() does
is included in the above upper limit check by UINT_MAX.

So, for security reasons, I don't think this change is necessary.  (Am
I missing something?)

In terms of cleanup, I think the clarification this patch brings is
good, but in that case, I'm concerned about the duplication of
overflow checks.

Thanks,
Ryusuke Konishi

> ---
>  fs/nilfs2/ioctl.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index 40ffade49f38..6a9dceebb18d 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
>
>         /*
>          * argv[4] points to segment numbers this ioctl cleans.  We
> -        * use kmalloc() for its buffer because memory used for the
> -        * segment numbers is enough small.
> +        * use kmalloc() for its buffer because the memory used for the
> +        * segment numbers is small enough.
>          */
> -       kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base,
> -                              nsegs * sizeof(__u64));
> +       kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base,
> +                                    nsegs, sizeof(__u64));
>         if (IS_ERR(kbufs[4])) {
>                 ret = PTR_ERR(kbufs[4]);
>                 goto out;
> --
> 2.41.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ