Received: by 10.192.165.148 with SMTP id m20csp4266860imm; Tue, 8 May 2018 05:54:34 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqgPxYXjMnfwriBDW0nVWLNk+zjE9U+5ZNRTgZRheCURSQKE0OWUwEzCU+m/xRPNvWVZakH X-Received: by 10.98.64.79 with SMTP id n76mr16784103pfa.185.1525784074907; Tue, 08 May 2018 05:54:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525784074; cv=none; d=google.com; s=arc-20160816; b=sbgx3Aq3RfHs3HNgWF2TNGldHB0KPIlyO9Hsu3tiI/W5YpR/DVnh28sDafua3vrId1 5MzTAK4etjKF2749UkYsN5mVo2+MUaTZxAE3Q3Z0DXetB7xndSTMB12uvGZAQPgCvxxW PlDJg5NgNHVvZtjDtdAEKi1EEXaiimmeeMYhqedeQGCNiMYUBG4cEE/3dkScLhIkume4 fci0hwV8r9xDREVmJtYyYjP0W+X6Z6YrySJyHiaIEkfQnbMVjCkGz2zGNC0R0oZLAhXP kCUmLsDmZE/YFl8y7P2pl66cnOiBR3urVOJJRLqzZcbfEk2NR6uprs5ZqShsYVFf1aja wXdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=IJ6NPJAn4Mq4+S2pM0BJfDGOL6rQDJkAAbkpN+wGyLQ=; b=LKiqhLLWGPSQbkr7uN6vAjE1vzlJrKnrRwZw1rjp2wrjowVVOLgS6j+GkJFlKtFoVp XgEioZkTuYZ+aOXIX/aZ0LRBNK9IvYx4zM2iPkHybKMueFnF2Ud1qIAKjUJ8Bh/hbFb6 b+VDyFlohc3kLejFyI53T93Ne+JfqBUvezcOaiWySmywsWuf5841SEP2U1lXWCPx9JWH NkFUr7QSlnxWffwIuzSMZCay1EKcbXwAdOr7PR57WSiOWrYp8tuW8sYDj/jMXeIgmaRY hRzve3wmokQ/zSS3tlR4uvyEBsPFDhZ7xpnB8+Rbb768r/dNMpNJ/LS/QEKEU3zij+kp 5hIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=dcoi/z4F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 6si24166304pft.35.2018.05.08.05.54.20; Tue, 08 May 2018 05:54:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=dcoi/z4F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755117AbeEHMxk (ORCPT + 99 others); Tue, 8 May 2018 08:53:40 -0400 Received: from mta-p3.oit.umn.edu ([134.84.196.203]:39478 "EHLO mta-p3.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755090AbeEHMxj (ORCPT ); Tue, 8 May 2018 08:53:39 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p3.oit.umn.edu (Postfix) with ESMTP id CEEC5735 for ; Tue, 8 May 2018 12:53:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525784018; x=1527598419; bh=/ 90RlK5eXDyuPmeZWAMMbUUKIRwiklGU8OKz5C8lYHA=; b=dcoi/z4FgLFf9w4n0 u7LTIcoepCgLPmDcESlSQaY1EqOuKS1kmDn3Bu91g8GJtEFPP48Y6mUiegzClup7 ZpU0m30CDnFCbPpCfelTp54GsZ6Ryv18jYyUFhtnRdPrtbxhPz3+0BO89TcN+bQd I2HSGfz9nHeaBPJnu4IA2sktb20K4qJjgMgxN9o5+dkXjItKALjNkqC4G2ns24MB pNKqvNlIKF6wxg+W4iDekNan98kiLXI8foRDhT0kL9yUy0NvlJhEwxiL9ty48lp9 T1bd+b4AaMEOKtHUiJscEIm7s5grd5pBWRo9Ebtnl4/VZgXtEpngQT83i1S65nPz HSPQA== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p3.oit.umn.edu ([127.0.0.1]) by localhost (mta-p3.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVVhkLKlospM for ; Tue, 8 May 2018 07:53:38 -0500 (CDT) Received: from mail-it0-f53.google.com (mail-it0-f53.google.com [209.85.214.53]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p3.oit.umn.edu (Postfix) with ESMTPSA id 9D6EA6ED for ; Tue, 8 May 2018 07:53:38 -0500 (CDT) Received: by mail-it0-f53.google.com with SMTP id c5-v6so14047815itj.1 for ; Tue, 08 May 2018 05:53:38 -0700 (PDT) X-Gm-Message-State: ALKqPwcpO9Qyf7sEqxalkB8vEm7Y7EWOhZFfgMVGxv+HtPZkVKoR1xiw W13LfrJ/Ld3Wybx3IIf5YA+O74m2g6E7Uvim/80= X-Received: by 2002:a24:25d0:: with SMTP id g199-v6mr5963885itg.26.1525784018363; Tue, 08 May 2018 05:53:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:44c:0:0:0:0:0 with HTTP; Tue, 8 May 2018 05:52:57 -0700 (PDT) In-Reply-To: <8db08d8e-c618-d806-b824-0b8990ef0785@redhat.com> References: <1525577448-16071-1-git-send-email-wang6495@umn.edu> <8db08d8e-c618-d806-b824-0b8990ef0785@redhat.com> From: Wenwen Wang Date: Tue, 8 May 2018 07:52:57 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] virt: vbox: fix a missing-check bug To: Hans de Goede Cc: Kangjie Lu , Arnd Bergmann , Greg Kroah-Hartman , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 8, 2018 at 6:46 AM, Hans de Goede wrote: > Hi Wenwen, > > On 06-05-18 05:30, Wenwen Wang wrote: >> >> In vbg_misc_device_ioctl(), the header of the ioctl argument is copied >> from >> the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the >> 'version', 'size_in', and 'size_out' fields of 'hdr' are verified. For >> example, if 'hdr.version' is not VBG_IOCTL_HDR_VERSION, an error code >> -EINVAL will be returned. If 'hdr' can pass all verifications, the whole >> structure of the ioctl argument is copied once again from 'arg' and saved >> to 'buf'. Then the function vbg_core_ioctl() is invoked to execute the >> ioctl command. Given that the 'arg' pointer resides in userspace, a >> malicious userspace process can race to change the data pointed to by >> 'arg' >> between the two copies. By doing so, the user can bypass the verifications >> on the ioctl argument, which can cause vbg_core_ioctl() to work on >> unsecure >> data because it assumes the 'version', 'size_in', and 'size_out' have been >> verified by vbg_misc_device_ioctl(), as mentioned in the comment in >> vbg_core_ioctl(): >> >> /* >> * hdr->version and hdr->size_in / hdr->size_out minimum size are >> * already checked by vbg_misc_device_ioctl(). >> */ >> >> This patch adds checks after the second copy to ensure the consistency >> between the data obtained in the two copies. In case an inconsistency is >> detected, an error code -EINVAL will be returned. >> >> Signed-off-by: Wenwen Wang > > > Thank you for finding this. I don't think that doing a second check is > a good solution, by copy and pasting the checks we run the risk that > any future additional checks are omitted from one copy of the checks. > > Instead I think we should simply avoid the 2nd copy of the header, like > this: > > From 0c50b0dce3cf25a0ee9794c5816d9a0232d29e0a Mon Sep 17 00:00:00 2001 > From: Hans de Goede > Date: Tue, 8 May 2018 13:23:01 +0200 > Subject: [PATCH 3/3] virt: vbox: Only copy_from_user the request-header once > > In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from > the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the > 'version', 'size_in', and 'size_out' fields of 'hdr' are verified. > > Before this commit, after the checks a buffer for the entire request would > be allocated and then all data including the verified header would be > copied from the userspace 'arg' pointer again. > > Given that the 'arg' pointer resides in userspace, a malicious userspace > process can race to change the data pointed to by 'arg' between the two > copies. By doing so, the user can bypass the verifications on the ioctl > argument. > > This commit fixes this by using the already checked copy of the header > to fill the header part of the allocated buffer and only copying the > remainder of the data from userspace. > > Reported-by: Wenwen Wang > Signed-off-by: Hans de Goede > --- > drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/virt/vboxguest/vboxguest_linux.c > b/drivers/virt/vboxguest/vboxguest_linux.c > index 398d22693234..6e2a9619192d 100644 > --- a/drivers/virt/vboxguest/vboxguest_linux.c > +++ b/drivers/virt/vboxguest/vboxguest_linux.c > @@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, > unsigned int req, > if (!buf) > return -ENOMEM; > > - if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > + *((struct vbg_ioctl_hdr *)buf) = hdr; > + if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > + hdr.size_in - sizeof(hdr))) { > ret = -EFAULT; > goto out; > } > > Do you agree that this would also fix the race window you found? Thanks for your response. Yes, this fix also works. Wenwen