| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20061209.010545.126590710.davem@davemloft.net>
Date: Sat, 09 Dec 2006 01:05:45 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: dada1@...mosbay.com
Cc: shemminger@...l.org, netdev@...r.kernel.org, hch@....de
Subject: Re: [Bug 7635] New: ioctl(fd,TCSBRK,1) on socket yields EFAULT,
expected EINVAL/ENOTTY
From: Eric Dumazet <dada1@...mosbay.com>
Date: Sat, 09 Dec 2006 09:06:27 +0100
> Well, as long you/we dont break isattty() (which try an
> ioctl(fd,TCGETS,&termios) on the fd), it should be OK.
>
> So TCGETS *MUST* return an error on a socket (and other non tty files)
Actually, did anyone actually bother to look at what's happening
here in this case? It's not an ioctl number aliasing issue at
all, rather dev_ioctl() blindly tries to copy a structure in
from userspace before checking the ioctl number against the
list of ioctls it actually understands.
That's the bug, anyone care to code up the fix to guard that
copy_from_user() call in dev_ioctl() with a big switch statement
verification on the ioctl number?
Something like:
switch (cmd) {
case SIOC*:
break;
default:
if (cmd == SIOCWANDEV ||
(cmd >= SIOCDEVPRIVATE &&
cmd <= SIOCDEVPRIVATE + 15))
break;
if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST)
break;
return -EINVAL;
}
if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
return -EFAULT;
Thanks.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists