2018-10-05 16:00:14

by Wenwen Wang

[permalink] [raw]
Subject: [PATCH] yam: fix a missing-check bug

In yam_ioctl(), the concrete ioctl command is firstly copied from the
user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
following switch statement. If the command is not as expected, an error
code EINVAL is returned. In the following execution the buffer
'ifr->ifr_data' is copied again in the cases of the switch statement to
specific data structures according to what kind of ioctl command is
requested. However, after the second copy, no re-check is enforced on the
newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
space, a malicious user can race to change the command between the two
copies. This way, the attacker can inject inconsistent data and cause
undefined behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL will be returned.

Signed-off-by: Wenwen Wang <[email protected]>
---
drivers/net/hamradio/yam.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
index 16ec7af..ba9df43 100644
--- a/drivers/net/hamradio/yam.c
+++ b/drivers/net/hamradio/yam.c
@@ -966,6 +966,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
sizeof(struct yamdrv_ioctl_mcs));
if (IS_ERR(ym))
return PTR_ERR(ym);
+ if (ym->cmd != SIOCYAMSMCS)
+ return -EINVAL;
if (ym->bitrate > YAM_MAXBITRATE) {
kfree(ym);
return -EINVAL;
@@ -981,6 +983,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg)))
return -EFAULT;

+ if (yi.cmd != SIOCYAMSCFG)
+ return -EINVAL;
if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev))
return -EINVAL; /* Cannot change this parameter when up */
if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev))
--
2.7.4



2018-10-05 18:55:44

by David Miller

[permalink] [raw]
Subject: Re: [PATCH] yam: fix a missing-check bug

From: Wenwen Wang <[email protected]>
Date: Fri, 5 Oct 2018 10:59:36 -0500

> In yam_ioctl(), the concrete ioctl command is firstly copied from the
> user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
> following switch statement. If the command is not as expected, an error
> code EINVAL is returned. In the following execution the buffer
> 'ifr->ifr_data' is copied again in the cases of the switch statement to
> specific data structures according to what kind of ioctl command is
> requested. However, after the second copy, no re-check is enforced on the
> newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
> space, a malicious user can race to change the command between the two
> copies. This way, the attacker can inject inconsistent data and cause
> undefined behavior.
>
> This patch adds a re-check in each case of the switch statement if there is
> a second copy in that case, to re-check whether the command obtained in the
> second copy is the same as the one in the first copy. If not, an error code
> EINVAL will be returned.
>
> Signed-off-by: Wenwen Wang <[email protected]>

Applied, thanks.