Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751848AbdISPYB (ORCPT <rfc822;w@1wt.eu>);
        Tue, 19 Sep 2017 11:24:01 -0400
Received: from mx1.gtisc.gatech.edu ([143.215.130.81]:52402 "EHLO
        mx1.gtisc.gatech.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751476AbdISPX7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Sep 2017 11:23:59 -0400
From: Meng Xu <mengxu.gatech@gmail.com>
To: jaharkes@cs.cmu.edu, coda@cs.cmu.edu,
        codalist@TELEMANN.coda.cs.cmu.edu, linux-kernel@vger.kernel.org
Cc: meng.xu@gatech.edu, sanidhya@gatech.edu, taesoo@gatech.edu,
        Meng Xu <mengxu.gatech@gmail.com>
Subject: [PATCH] fs/coda: ensure the header peeked at is the same in the actual message
Date: Tue, 19 Sep 2017 11:23:43 -0400
Message-Id: <1505834623-37096-1-git-send-email-mengxu.gatech@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1601
Lines: 41

In coda_psdev_write(), the header of the buffer is fetched twice from the
userspace. The first fetch is used to peek at the opcode and unique id while
the second fetch copies the whole message. However, there could be
inconsistency in these two fields between two fetches as buf resides in
userspace memory and a user process can rush to change it across fetches.
Which means that the corresponding opcode and unique id fields in
req->uc_data could be different from what is fetched in for the first time.

Whether this double-fetch situation is a security critical bug depends on
how req->uc_data will be used later. However, given that it is hard to
enumerate all the possible use cases, a safer way is to ensure that the
peeked header is actually the same message header after the second fetch.

This patch enforces that the header of the message fetched into req->uc_data
is the same as what is fetched in originally. In other words, hdr.opcode and
hdr.unique do not change.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
---
 fs/coda/psdev.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
index f40e395..b9dbdd8 100644
--- a/fs/coda/psdev.c
+++ b/fs/coda/psdev.c
@@ -178,6 +178,12 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
 		goto out;
 	}
 
+	/*
+	 * Override the request header to make sure that it matches the
+	 * first fetch from buf
+	 */
+	memcpy(req->uc_data, &hdr, 2 * sizeof(u_long));
+
 	/* adjust outsize. is this useful ?? */
 	req->uc_outSize = nbytes;
 	req->uc_flags |= CODA_REQ_WRITE;
-- 
2.7.4