2007-05-17 04:56:29

by sk b

[permalink] [raw]
Subject: user pointers and race conditions


Hello,

I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:

1: struct st { int *u; };
2: void syscall(struct st * stp) {
3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
4: return;
5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
6: return;
7: foo(); //user app writes a kernel address to stp->u
8: *(stp->u) = 0;
9:}

Suppose syscall is some system call and, thus, stp and stp->u are user pointers. The function checks the stp and stp->u pointers using the access_ok macro on lines 3 and 5. Also suppose that the call to foo on line 7 takes a non-trivial amount of time to execute. During the time it takes foo to execute, the user application writes a kernel address to stp->u. Note that this write occurs after the check on line 5. Then, on line 8, the kernel writes to stp->u which contains a kernel address. So, the user application could force the kernel to overwrite itself. Is it possible to exploit this race condition? If so, does Sparse check for this?

-SKB
_________________________________________________________________
Download Messenger. Start an i?m conversation. Support a cause. Join now.
http://im.live.com/messenger/im/home/?source=TAGWL_MAY07


2007-05-17 05:04:46

by Al Viro

[permalink] [raw]
Subject: Re: user pointers and race conditions

On Wed, May 16, 2007 at 10:56:22PM -0600, sk b wrote:
>
> Hello,
>
> I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:
>
> 1: struct st { int *u; };
> 2: void syscall(struct st * stp) {
> 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4: return;
> 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))

... and there's your bug - direct access to userland data. The normal
variant is to use accessors (get_user() or copy_from_user()) to fetch
the value of stp->u. At which point races of the kind you mentioned
take an obviously dumb code (explicitly copying the same struct from
userland _twice_).

2007-05-17 05:06:39

by David Miller

[permalink] [raw]
Subject: Re: user pointers and race conditions

From: sk b <[email protected]>
Date: Wed, 16 May 2007 22:56:22 -0600

> 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4: return;
> 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
> 6: return;

This code would not exist in the kernel, the kernel cannot dereference
stp->u. The stp->u dereference would silently work on x86 and x86_64
but it would generate an exception on sparc64 and other platforms.

User space accesses must go through the proper copy_from_user(),
copy_to_user, get_user(), and put_user() interfaces.

It must first copy stp into a local kernel space copy, then it may
inspect the value of stp->u.

And yes sparse would catch this problem in your code, because the
"__user" annotations would catch the illegal "stp->u" dereference.

2007-05-17 12:27:25

by Arjan van de Ven

[permalink] [raw]
Subject: Re: user pointers and race conditions

On Wed, 2007-05-16 at 22:56 -0600, sk b wrote:
> Hello,
>
> I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:
>
> 1: struct st { int *u; };
> 2: void syscall(struct st * stp) {
> 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4: return;
> 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
> 6: return;

this line is invalid; you are not allowed to dereference userspace
memory directly. You need to call copy_from_user() on stp first, and
then use the copy.
> 7: foo(); //user app writes a kernel address to stp->u
> 8: *(stp->u) = 0;
> 9:}
>
> Suppose syscall is some system call and, thus, stp and stp->u are user pointers. The function checks the stp and stp->u pointers using the access_ok macro on lines 3 and 5. Also suppose that the call to foo on line 7 takes a non-trivial amount of time to execute. During the time it takes foo to execute, the user application writes a kernel address to stp->u. Note that this write occurs after the check on line 5. Then, on line 8, the kernel writes to stp->u which contains a kernel address. So, the user application could force the kernel to overwrite itself. Is it possible to exploit this race condition? If so, does Sparse check for this?
>
> -SKB
> _________________________________________________________________
> Download Messenger. Start an i’m conversation. Support a cause. Join now.
> http://im.live.com/messenger/im/home/?source=TAGWL_MAY07-
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org