lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241106081004.16507-A-hca@linux.ibm.com>
Date: Wed, 6 Nov 2024 09:10:04 +0100
From: Heiko Carstens <hca@...ux.ibm.com>
To: Steffen Eiden <seiden@...ux.ibm.com>
Cc: linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org,
        Ingo Franzki <ifranzki@...ux.ibm.com>,
        Christoph Schlameuss <schlameuss@...ux.ibm.com>,
        Janosch Frank <frankja@...ux.ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>, borntraeger@...ux.ibm.com
Subject: Re: [PATCH v3] s390/uvdevice: Support longer secret lists

On Mon, Nov 04, 2024 at 04:36:09PM +0100, Steffen Eiden wrote:
> Enable the list IOCTL to provide lists longer than one page (85 entries).
> The list IOCTL now accepts any argument length in page granularity.
> It fills the argument up to this length with entries until the list
> ends. User space unaware of this enhancement will still receive one page
> of data and an uv_rc 0x0100.
> 
> Signed-off-by: Steffen Eiden <seiden@...ux.ibm.com>
> ---
>  v3: remove upper boundary (8 pages) for arg len

...

> +static int uvio_get_list(void *zpage, struct uvio_ioctl_cb *uv_ioctl)
> +{
> +	const size_t data_off = offsetof(struct uv_secret_list, secrets);
> +	u8 __user *user_buf = (u8 __user *)uv_ioctl->argument_addr;
> +	struct uv_secret_list *list = zpage;
> +	u16 num_secrets_stored = 0;
> +	size_t user_off = data_off;
> +	size_t copy_len;
> +
> +	do {
> +		uv_list_secrets(list, list->next_secret_idx, &uv_ioctl->uv_rc,
> +				&uv_ioctl->uv_rrc);
> +		if (uv_ioctl->uv_rc != UVC_RC_EXECUTED &&
> +		    uv_ioctl->uv_rc != UVC_RC_MORE_DATA)
> +			break;
> +
> +		copy_len = sizeof(list->secrets[0]) * list->num_secr_stored;
> +		WARN_ON(copy_len > sizeof(list->secrets));

Is this really possible? Without checking the documentation I guess
this is not possible and therefore the WARN_ON() should be removed.

If however this can be possible then this should be turned into a
WARN_ON_ONCE().

> +		if (copy_to_user(user_buf + user_off, list->secrets, copy_len))
> +			return -EFAULT;

...and in addition, if the above would be possible this _could_ copy
random kernel data to user space. Not good.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ