Received: by 10.192.165.148 with SMTP id m20csp1457698imm; Sat, 5 May 2018 12:33:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqKKwNj8CqxE+upC0dbTg04q+zE0eAw0pqgdhBRUZkZ4qGPQMqtrFaxyT3NDoYgWQ17Igu0 X-Received: by 2002:a17:902:a985:: with SMTP id bh5-v6mr33155159plb.0.1525548821302; Sat, 05 May 2018 12:33:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525548821; cv=none; d=google.com; s=arc-20160816; b=OfiDWyi8rvH3yeJ5sP5g52oZkzs7EC5N9wsR7hheW+um1dtBazyfWCS7YJVNF2NI+T HD87fQd7yYHbazmSASRxr+pVWbvBgQevctd7bh3WuBxob27uAtzQB8DwiHxjjZbJx4JC 5yF8RXROppD7rEoqR2o3mSyqStd2zHG+mb0Xdw+n1T/6gHghsWLqlWba4PzGCu6ACpYm 3sEHa0Y2hgApAEPwIiu9llx4JaMC9IS9ZZYPt2ltho8699NTu8QqYoJ4TgS4T5DUbeTe dsX9U2ULNrgNGc4Ys7MSVefbgrB27Lwvg6so/ns0HfpqASAqU9JMUyXWTwShaqXVJ2W0 QMHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=wTboxG0uNi3ZJAmv5A9MGFh7HqYOwsEvgy36hbBnlSw=; b=qvNOvhpVVekxbIf4tAlFrn7seacQ3XMlRY1bu5H5sJ/aKUdnvffuctvwT2CsI+zM3X MJl3J9qFHprzkICGrf4eJEa1UuZZiVNIiSEgZKRuRKE83BdfFmTiC7P6IDC4VEH1Z20q TDmZCU6svWcbEgMSt+D6PfpgoChAAVgNd8CbY9MGkbx88S9R/J46XAzEXaY7ApDep5va yApa2Lhe5FCOvnsJ2o17ifB9fIJk8Dwhc4E/bvhUpT5QvbgRUVVEeKh7FNhOGBZeM/xo OT59UazJVFB/lB7JHOIfYL8JBC64crLgwNUbjRaCapxgxtJO++WY3SKd/bq6C7qf6GOs Au4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=qkZv2uK9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p7-v6si14778827pgv.372.2018.05.05.12.33.13; Sat, 05 May 2018 12:33:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=qkZv2uK9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751789AbeEETdC (ORCPT + 99 others); Sat, 5 May 2018 15:33:02 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:43674 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751183AbeEETc7 (ORCPT ); Sat, 5 May 2018 15:32:59 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 8870DAE9 for ; Sat, 5 May 2018 19:32:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TSBcA9O7Yse6 for ; Sat, 5 May 2018 14:32:58 -0500 (CDT) Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 52F2BAE4 for ; Sat, 5 May 2018 14:32:58 -0500 (CDT) Received: by mail-io0-f197.google.com with SMTP id s12-v6so23509991ioc.20 for ; Sat, 05 May 2018 12:32:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=wTboxG0uNi3ZJAmv5A9MGFh7HqYOwsEvgy36hbBnlSw=; b=qkZv2uK974/N1ZD3zsp9KQ52r6FrFRWAkbdXLkvJp6NaCzSjbV0dPhVkxBeuiVZ1IV BF7Q/nDO6zWGOiOiC+H1m7oLwvKDPktUv2Eoi98AzulpBvGtNVlDqxIz0yXy0rNhyvpV NhPTwdDpAMzF12nOi1QbiR2ToHxJw3/JPf50oi5uGJlzVRoaupJPeWDx4/x97jEIQmcO X71v4IDp3eVSctnqudkpM/+Zc1sKOjPdmxP+tl0gEoxcR+D2U3xMhvsTHK96APwr6sij 9sq8pezwog0LeiWv41eLBQaEs+B1Z3nUAzvRx76oadx8HWhNhK6Agp1u2b6ZExTPr8Fb Z3+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=wTboxG0uNi3ZJAmv5A9MGFh7HqYOwsEvgy36hbBnlSw=; b=crOddVE7G0QN5QzFBrIczbXKr29S8mL439hQ+iD6+3zSwpOT02cGvDRk2YVX2GgmC/ uZOeZTHmdLwDuhfc0aISQHFZO1/UwQAgC2TA6W6sYBdHpYXyB6AZsha62ZCJ43sThTqy nfiI4qTQyAvuRT2ZjQFzu84S1o9yG2SpJPjB0Nhl6Gk99LoO0o9Tn7AeYvgMF9c4SWi4 4mQmTlumxW4mrwKUx5MRy8LPMlZsC7hwZE/nsTUXAqizQZgDhyhkeAeLXXXua0d9AhuL l4D/bpL9WUBOZqtBT+eqw0FD/cc5eZIwUMSlmNNk4KtYAti23W+0ODYZdrOqBYxOMKfl zEMw== X-Gm-Message-State: ALQs6tCwzUtBKK9miDvWV0OnbBSXDdIA//Vury5N/qwQl06vTVisy/9V XIPjm7dyltHfQIZM5oFT6VinNx0gsO+ZYljRjKR1L/2EngYXNy+up17NC6+3630f2h4i17JwCm3 l04/1CQvJHSS4UxA3xzz2GREcslqP X-Received: by 2002:a24:5149:: with SMTP id s70-v6mr23526736ita.52.1525548777978; Sat, 05 May 2018 12:32:57 -0700 (PDT) X-Received: by 2002:a24:5149:: with SMTP id s70-v6mr23526728ita.52.1525548777698; Sat, 05 May 2018 12:32:57 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id r1-v6sm9483340ioc.57.2018.05.05.12.32.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 12:32:57 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Armin Schindler , Karsten Keil , netdev@vger.kernel.org (open list:ISDN SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] isdn: eicon: fix a missing-check bug Date: Sat, 5 May 2018 14:32:46 -0500 Message-Id: <1525548766-13017-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In divasmain.c, the function divas_write() firstly invokes the function diva_xdi_open_adapter() to open the adapter that matches with the adapter number provided by the user, and then invokes the function diva_xdi_write() to perform the write operation using the matched adapter. The two functions diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c. In diva_xdi_open_adapter(), the user command is copied to the object 'msg' from the userspace pointer 'src' through the function pointer 'cp_fn', which eventually calls copy_from_user() to do the copy. Then, the adapter number 'msg.adapter' is used to find out a matched adapter from the 'adapter_queue'. A matched adapter will be returned if it is found. Otherwise, NULL is returned to indicate the failure of the verification on the adapter number. As mentioned above, if a matched adapter is returned, the function diva_xdi_write() is invoked to perform the write operation. In this function, the user command is copied once again from the userspace pointer 'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as both of them are from the 'buf' pointer in divas_write(). Similarly, the copy is achieved through the function pointer 'cp_fn', which finally calls copy_from_user(). After the successful copy, the corresponding command processing handler of the matched adapter is invoked to perform the write operation. It is obvious that there are two copies here from userspace, one is in diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of these two copies share the same source userspace pointer, i.e., the 'buf' pointer in divas_write(). Given that a malicious userspace process can race to change the content pointed by the 'buf' pointer, this can pose potential security issues. For example, in the first copy, the user provides a valid adapter number to pass the verification process and a valid adapter can be found. Then the user can modify the adapter number to an invalid number. This way, the user can bypass the verification process of the adapter number and inject inconsistent data. To avoid such issues, this patch adds a check after the second copy in the function diva_xdi_write(). If the adapter number is not equal to the one obtained in the first copy, (-4) will be returned to divas_write(), which will then return an error code -EINVAL. Signed-off-by: Wenwen Wang --- drivers/isdn/hardware/eicon/diva.c | 6 +++++- drivers/isdn/hardware/eicon/divasmain.c | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c index 944a7f3..46cbf76 100644 --- a/drivers/isdn/hardware/eicon/diva.c +++ b/drivers/isdn/hardware/eicon/diva.c @@ -440,6 +440,7 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, int length, divas_xdi_copy_from_user_fn_t cp_fn) { diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter; + diva_xdi_um_cfg_cmd_t *p; void *data; if (a->xdi_mbox.status & DIVA_XDI_MBOX_BUSY) { @@ -461,7 +462,10 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, length = (*cp_fn) (os_handle, data, src, length); if (length > 0) { - if ((*(a->interface.cmd_proc)) + p = (diva_xdi_um_cfg_cmd_t *) data; + if (a->controller != (int)p->adapter) { + length = -4; + } else if ((*(a->interface.cmd_proc)) (a, (diva_xdi_um_cfg_cmd_t *) data, length)) { length = -3; } diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c index b9980e8..a03c658 100644 --- a/drivers/isdn/hardware/eicon/divasmain.c +++ b/drivers/isdn/hardware/eicon/divasmain.c @@ -614,6 +614,9 @@ static ssize_t divas_write(struct file *file, const char __user *buf, case -3: ret = -ENXIO; break; + case -4: + ret = -EINVAL; + break; } DBG_TRC(("write: ret %d", ret)); return (ret); -- 2.7.4