lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <11f72b27c12f46eb8bef1d1773980c54@AcuMS.aculab.com>
Date:   Thu, 26 Aug 2021 08:12:27 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Peter Collingbourne' <pcc@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Colin Ian King <colin.king@...onical.com>,
        Cong Wang <cong.wang@...edance.com>,
        Al Viro <viro@...iv.linux.org.uk>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] net: don't unconditionally copy_from_user a struct ifreq
 for socket ioctls

From: Peter Collingbourne
> Sent: 26 August 2021 02:27
> 
> A common implementation of isatty(3) involves calling a ioctl passing
> a dummy struct argument and checking whether the syscall failed --
> bionic and glibc use TCGETS (passing a struct termios), and musl uses
> TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
> copy sizeof(struct ifreq) bytes of data from the argument and return
> -EFAULT if that fails. The result is that the isatty implementations
> may return a non-POSIX-compliant value in errno in the case where part
> of the dummy struct argument is inaccessible, as both struct termios
> and struct winsize are smaller than struct ifreq (at least on arm64).
> 
> Although there is usually enough stack space following the argument
> on the stack that this did not present a practical problem up to now,
> with MTE stack instrumentation it's more likely for the copy to fail,
> as the memory following the struct may have a different tag.
> 
> Fix the problem by adding an early check for whether the ioctl is a
> valid socket ioctl, and return -ENOTTY if it isn't.
..
> +bool is_dev_ioctl_cmd(unsigned int cmd)
> +{
> +	switch (cmd) {
> +	case SIOCGIFNAME:
> +	case SIOCGIFHWADDR:
> +	case SIOCGIFFLAGS:
> +	case SIOCGIFMETRIC:
> +	case SIOCGIFMTU:
> +	case SIOCGIFSLAVE:
> +	case SIOCGIFMAP:
> +	case SIOCGIFINDEX:
> +	case SIOCGIFTXQLEN:
> +	case SIOCETHTOOL:
> +	case SIOCGMIIPHY:
> +	case SIOCGMIIREG:
> +	case SIOCSIFNAME:
> +	case SIOCSIFMAP:
> +	case SIOCSIFTXQLEN:
> +	case SIOCSIFFLAGS:
> +	case SIOCSIFMETRIC:
> +	case SIOCSIFMTU:
> +	case SIOCSIFHWADDR:
> +	case SIOCSIFSLAVE:
> +	case SIOCADDMULTI:
> +	case SIOCDELMULTI:
> +	case SIOCSIFHWBROADCAST:
> +	case SIOCSMIIREG:
> +	case SIOCBONDENSLAVE:
> +	case SIOCBONDRELEASE:
> +	case SIOCBONDSETHWADDR:
> +	case SIOCBONDCHANGEACTIVE:
> +	case SIOCBRADDIF:
> +	case SIOCBRDELIF:
> +	case SIOCSHWTSTAMP:
> +	case SIOCBONDSLAVEINFOQUERY:
> +	case SIOCBONDINFOQUERY:
> +	case SIOCGIFMEM:
> +	case SIOCSIFMEM:
> +	case SIOCSIFLINK:
> +	case SIOCWANDEV:
> +	case SIOCGHWTSTAMP:
> +		return true;

That is horrid.
Can't you at least use _IOC_TYPE() to check for socket ioctls.
Clearly it can succeed for 'random' driver ioctls, but will fail
for the tty ones.

The other sane thing is to check _IOC_SIZE().
Since all the SIOCxxxx have a correct _IOC_SIZE() that can be
used to check the user copy length.
(Unlike socket options the correct length is always supplied.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ