lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <7a26cd1bafb22b16eab3868255706d44fa4f255d.camel@redhat.com> Date: Thu, 02 Nov 2023 23:02:35 +0100 From: Philipp Stanner <pstanner@...hat.com> To: Al Viro <viro@...iv.linux.org.uk> Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Stanislav Fomichev <sdf@...gle.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Benjamin Tissoires <benjamin.tissoires@...hat.com>, linux-ppp@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Dave Airlie <airlied@...hat.com> Subject: Re: [PATCH] drivers/net/ppp: copy userspace array safely Hallo Al, On Thu, 2023-11-02 at 20:09 +0000, Al Viro wrote: > On Thu, Nov 02, 2023 at 08:19:15PM +0100, Philipp Stanner wrote: > > In ppp_generic.c memdup_user() is utilized to copy a userspace > > array. > > This is done without an overflow check. > > > > Use the new wrapper memdup_array_user() to copy the array more > > safely. > > > fprog.len = uprog->len; > > - fprog.filter = memdup_user(uprog->filter, > > - uprog->len * sizeof(struct > > sock_filter)); > > + fprog.filter = memdup_array_user(uprog->filter, > > + uprog->len, sizeof(struct > > sock_filter)); > > Far be it from me to discourage security theat^Whardening, but a bit about the background here: (tl;dr: No reason to worry, I am not one of those security fanatics. In fact, I worked for 12 months with those people with some mixed experiences ^^') (btw, note that the commit says 'safety', not 'security') We introduced those wrappers to string.h hoping they will be useful. Now that they're merged, I quickly wanted to establish them as the standard for copying user-arrays, ideally in the current merge window. Because its convenient, easy to read and, at times, safer. I just want to help out a bit in the kernel, clean up here and there; it's not yet the primary task assigned to me by my employer. Thus, I quickly prepared 13 patches today implementing the wrapper. You'll find the others on LKML. Getting to: > > struct sock_fprog { /* Required for SO_ATTACH_FILTER. */ > unsigned short len; /* Number of filter blocks */ > struct sock_filter __user *filter; > }; > > struct sock_filter { /* Filter block */ > __u16 code; /* Actual filter code */ > __u8 jt; /* Jump true */ > __u8 jf; /* Jump false */ > __u32 k; /* Generic multiuse field */ > }; > > so you might want to mention that overflow in question would have to > be > in multiplying an untrusted 16bit value by 8... > I indeed did not even look at that. When it was obvious to me that fearing an overflow is ridiculous, I actually adjusted the commit-message, see for example here: [1] I just didn't see it in ppp. Maybe I should have looked more intensively for all 13 patches. But we'll get there, that's what v2 and v3 are for :) P. [1] https://lore.kernel.org/all/20231102192402.53721-2-pstanner@redhat.com/ PS: Security != Safety
Powered by blists - more mailing lists