lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YSc3MGVllU8qSJXV@kroah.com>
Date:   Thu, 26 Aug 2021 08:39:44 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Peter Collingbourne <pcc@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Colin Ian King <colin.king@...onical.com>,
        Cong Wang <cong.wang@...edance.com>,
        Al Viro <viro@...iv.linux.org.uk>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] net: don't unconditionally copy_from_user a struct ifreq
 for socket ioctls

On Wed, Aug 25, 2021 at 06:27:22PM -0700, Peter Collingbourne wrote:
> A common implementation of isatty(3) involves calling a ioctl passing
> a dummy struct argument and checking whether the syscall failed --
> bionic and glibc use TCGETS (passing a struct termios), and musl uses
> TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
> copy sizeof(struct ifreq) bytes of data from the argument and return
> -EFAULT if that fails. The result is that the isatty implementations
> may return a non-POSIX-compliant value in errno in the case where part
> of the dummy struct argument is inaccessible, as both struct termios
> and struct winsize are smaller than struct ifreq (at least on arm64).
> 
> Although there is usually enough stack space following the argument
> on the stack that this did not present a practical problem up to now,
> with MTE stack instrumentation it's more likely for the copy to fail,
> as the memory following the struct may have a different tag.
> 
> Fix the problem by adding an early check for whether the ioctl is a
> valid socket ioctl, and return -ENOTTY if it isn't.
> 
> Fixes: 44c02a2c3dc5 ("dev_ioctl(): move copyin/copyout to callers")
> Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4d
> Signed-off-by: Peter Collingbourne <pcc@...gle.com>
> Cc: <stable@...r.kernel.org> # 4.19
> ---
>  include/linux/netdevice.h |  1 +
>  net/core/dev_ioctl.c      | 64 ++++++++++++++++++++++++++++++++-------
>  net/socket.c              |  6 +++-
>  3 files changed, 59 insertions(+), 12 deletions(-)
> 
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index eaf5bb008aa9..481b90ef0d32 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -4012,6 +4012,7 @@ int netdev_rx_handler_register(struct net_device *dev,
>  void netdev_rx_handler_unregister(struct net_device *dev);
>  
>  bool dev_valid_name(const char *name);
> +bool is_dev_ioctl_cmd(unsigned int cmd);

"is_socket_ioctl_cmd()" might be a better global name here.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ