Hi:
Buffer overflow in the mptctl_replace_fw() function in linux kernel
MPT ioctl driver.
In mptctl_replace_fw function, kernel didn't check the size of
"newFwSize" variable allows attackers to cause a denial of service via
unspecified vectors that trigger copy_from_user function calls with
improper length arguments.
static int
mptctl_replace_fw (unsigned long arg)
{
......
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
__FILE__, __LINE__, uarg);
return -EFAULT;
}
......
mpt_free_fw_memory(ioc);
/* Allocate memory for the new FW image
*/
newFwSize = ALIGN(karg.newImageSize, 4);
mpt_alloc_fw_memory(ioc, newFwSize);
......
if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {
///------->newFwSize can control in userspace
printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw image "
"@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
mpt_free_fw_memory(ioc);
return -EFAULT;
}
......
return 0;
}
On Thu, Aug 31, 2017 at 11:00 PM, Dison River <[email protected]> wrote:
> Hi:
> Buffer overflow in the mptctl_replace_fw() function in linux kernel
> MPT ioctl driver.
>
> In mptctl_replace_fw function, kernel didn't check the size of
> "newFwSize" variable allows attackers to cause a denial of service via
> unspecified vectors that trigger copy_from_user function calls with
> improper length arguments.
Is there a specific path you see to trigger this?
>
>
> static int
> mptctl_replace_fw (unsigned long arg)
> {
> ......
> if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
> printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
> "Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
> __FILE__, __LINE__, uarg);
> return -EFAULT;
> }
>
> ......
>
> mpt_free_fw_memory(ioc);
This frees ioc->cached_fw.
>
> /* Allocate memory for the new FW image
> */
> newFwSize = ALIGN(karg.newImageSize, 4);
>
> mpt_alloc_fw_memory(ioc, newFwSize);
This allocates ioc->cached_fw to newFwSize.
> ......
>
> if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {
This copies newFwSize bytes into a buffer that is allocated to newFwSize bytes.
What am I missing? I see some games getting played in
mpt_alloc_fw_memory(), but they seem to be covered due to the earlier
call to mpt_free_fw_memory()...
-Kees
> ///------->newFwSize can control in userspace
> printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
> "Unable to read in mpt_ioctl_replace_fw image "
> "@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
> mpt_free_fw_memory(ioc);
> return -EFAULT;
> }
>
> ......
>
> return 0;
> }
-Kees
--
Kees Cook
Pixel Security
On Fri, Sep 01, 2017 at 02:00:48PM +0800, Dison River wrote:
> newFwSize = ALIGN(karg.newImageSize, 4);
This is an integer overflow, but it's harmless... As a static checker
developer this is where I would print a warning:
drivers/message/fusion/mptctl.c:1748 mptctl_replace_fw() warn: potential integer overflow from user '((karg.newImageSize)) + (((4)) - 1)'
I also caught the integer overflow from two days ago but there are too
many ones like this so I can't check them all. In mpt_alloc_fw_memory()
there is another potential integer overflow when we do:
ioc->alloc_total += size;
But ->alloc_total is not used anywhere.
I don't see a buffer overflow here.
regards,
dan carpenter