Received: by 10.192.165.148 with SMTP id m20csp5108527imm; Tue, 8 May 2018 22:32:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrjJxgUaU0TtqBiCgBlBTqW2SCADD2a7j1yVULULmaoYj1rJtyG8kvbkTqtabB51Kr1WS26 X-Received: by 2002:a17:902:59ce:: with SMTP id d14-v6mr3092106plj.253.1525843960317; Tue, 08 May 2018 22:32:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525843960; cv=none; d=google.com; s=arc-20160816; b=qhSfpyTlEjxvX3ya/ltHz1L2CFw/ERF/SAt4LMNi+f7ERVolmn7E3ipSVzucMwwHnv OWAyHiGkZYNFw4oSmZAEHQIx4rzKhQul1U4Y2Vg3nRW4tXMoGaPUVpSET3/vrNhjkM8a DIZPbCt1Vos5XVYn6W3r8CM/mLOkNDCFujivT6GdzqKQnUNonrwPm0SUjxZLe1HWuNwA UJjYtRej5Y4PaS32e8oK+iTk0QYjPG2VBeoHYS8P2d3R9EOwojA53/7bKEwOXCNEbPf7 GP7S9To4HVrf88S7Pu+C9STzNNYWeMYZOzGz2pbFQo15eNZNEBt8jX7zn/ioLwLpDfSz PmGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Ckc2/43KVD2gdOXiRw59F6csEvD9ST/ncSJqtrsJtCw=; b=iKShfY/ztEWLOzEOx3dtC7Yp4A9odpTntgLRitpnZB6UmV8Z/0yrO0ulUhVwbU4P1o amghZoh4jX2uQJnSyUYJWZ4852SXl9qQixHujCRVHV05ECrgVWFdgtuLeMq1qIpTiOyZ fke1m5AyfWm/pUA2sbCJ9creE2bj4AK8EezYfv7geesamoq0UrR6LWXoyIxNNF43OgQh Bzq2A8YXGaTN1yEujg14yjHC31vH1ymXTcdLqvwCPwlw/SdlAfg66YV0x/dkM2Kx8uv5 mW9hVJubETkFhHGP+YMZKTXKLdwJFbrXNsa0DNQcwFTH4D7ZtI15ryFMo+Vtj3Th9ZnR EA7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=tFqRIu+D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j65-v6si20878232pge.371.2018.05.08.22.32.25; Tue, 08 May 2018 22:32:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=tFqRIu+D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933750AbeEIFbB (ORCPT + 99 others); Wed, 9 May 2018 01:31:01 -0400 Received: from mta-p1.oit.umn.edu ([134.84.196.201]:35622 "EHLO mta-p1.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933383AbeEIFbA (ORCPT ); Wed, 9 May 2018 01:31:00 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p1.oit.umn.edu (Postfix) with ESMTP id 09969253; Wed, 9 May 2018 05:30:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525843858; x=1527658259; bh=N A5Xe4xOHBXo6X6jEpFI0Or6n+yFs6POYyE48nnVvZY=; b=tFqRIu+DyLLsbsYj5 qg2reCRP8lGbmG3Iw1t5huoBqad5nWdMRqOc98P+bH+gc4eXu6KPjMqFmT6TBRQA HIMiZWThHZ2rJdn5hDD/UiDRC4VotFdh5ZZUc9g6ertH8mcCfmkL5f1W4IrL3kDs H4KVmUHcm5AKpQ0CeAzvcYn7iIQDkiB6MQrWf+tRoLa/P6gHBJwUIPtjx+BzDyTE +DQUeiUDZh/CQPvdHplGNfrInQw67vgK6mpbCgWZpqwsvLhUgRdX+/hQ6BvtpCfH GrrgaO5wZzNWaGZf19V20OLjIjhG9eQbV7vkzXB6PjiQW7WJebnQgTzOHL4mCBQi cjMSQ== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p1.oit.umn.edu ([127.0.0.1]) by localhost (mta-p1.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfVAEC_bCiXg; Wed, 9 May 2018 00:30:58 -0500 (CDT) Received: from mail-it0-f45.google.com (mail-it0-f45.google.com [209.85.214.45]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p1.oit.umn.edu (Postfix) with ESMTPSA id BBB6E164; Wed, 9 May 2018 00:30:58 -0500 (CDT) Received: by mail-it0-f45.google.com with SMTP id e20-v6so19138264itc.1; Tue, 08 May 2018 22:30:58 -0700 (PDT) X-Gm-Message-State: ALQs6tABzHOPo+cu1s31iJyWkEVycUb/ObnFueecSW+WBqlseovfD4JA wKNd+zYl5MWHunFvyeuwdDVPGLdv8zQpro8i7+U= X-Received: by 2002:a24:68c6:: with SMTP id v189-v6mr8745158itb.61.1525843858408; Tue, 08 May 2018 22:30:58 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:44c:0:0:0:0:0 with HTTP; Tue, 8 May 2018 22:30:18 -0700 (PDT) In-Reply-To: <1525548766-13017-1-git-send-email-wang6495@umn.edu> References: <1525548766-13017-1-git-send-email-wang6495@umn.edu> From: Wenwen Wang Date: Wed, 9 May 2018 00:30:18 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] isdn: eicon: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , Armin Schindler , Karsten Keil , "open list:ISDN SUBSYSTEM" , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Could you please review this patch? We need a confirmation because we are working on an approaching deadline. Thanks! Wenwen On Sat, May 5, 2018 at 2:32 PM, Wenwen Wang wrote: > In divasmain.c, the function divas_write() firstly invokes the function > diva_xdi_open_adapter() to open the adapter that matches with the adapter > number provided by the user, and then invokes the function diva_xdi_write() > to perform the write operation using the matched adapter. The two functions > diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c. > > In diva_xdi_open_adapter(), the user command is copied to the object 'msg' > from the userspace pointer 'src' through the function pointer 'cp_fn', > which eventually calls copy_from_user() to do the copy. Then, the adapter > number 'msg.adapter' is used to find out a matched adapter from the > 'adapter_queue'. A matched adapter will be returned if it is found. > Otherwise, NULL is returned to indicate the failure of the verification on > the adapter number. > > As mentioned above, if a matched adapter is returned, the function > diva_xdi_write() is invoked to perform the write operation. In this > function, the user command is copied once again from the userspace pointer > 'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as > both of them are from the 'buf' pointer in divas_write(). Similarly, the > copy is achieved through the function pointer 'cp_fn', which finally calls > copy_from_user(). After the successful copy, the corresponding command > processing handler of the matched adapter is invoked to perform the write > operation. > > It is obvious that there are two copies here from userspace, one is in > diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of > these two copies share the same source userspace pointer, i.e., the 'buf' > pointer in divas_write(). Given that a malicious userspace process can race > to change the content pointed by the 'buf' pointer, this can pose potential > security issues. For example, in the first copy, the user provides a valid > adapter number to pass the verification process and a valid adapter can be > found. Then the user can modify the adapter number to an invalid number. > This way, the user can bypass the verification process of the adapter > number and inject inconsistent data. > > To avoid such issues, this patch adds a check after the second copy in the > function diva_xdi_write(). If the adapter number is not equal to the one > obtained in the first copy, (-4) will be returned to divas_write(), which > will then return an error code -EINVAL. > > Signed-off-by: Wenwen Wang > --- > drivers/isdn/hardware/eicon/diva.c | 6 +++++- > drivers/isdn/hardware/eicon/divasmain.c | 3 +++ > 2 files changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c > index 944a7f3..46cbf76 100644 > --- a/drivers/isdn/hardware/eicon/diva.c > +++ b/drivers/isdn/hardware/eicon/diva.c > @@ -440,6 +440,7 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, > int length, divas_xdi_copy_from_user_fn_t cp_fn) > { > diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter; > + diva_xdi_um_cfg_cmd_t *p; > void *data; > > if (a->xdi_mbox.status & DIVA_XDI_MBOX_BUSY) { > @@ -461,7 +462,10 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, > > length = (*cp_fn) (os_handle, data, src, length); > if (length > 0) { > - if ((*(a->interface.cmd_proc)) > + p = (diva_xdi_um_cfg_cmd_t *) data; > + if (a->controller != (int)p->adapter) { > + length = -4; > + } else if ((*(a->interface.cmd_proc)) > (a, (diva_xdi_um_cfg_cmd_t *) data, length)) { > length = -3; > } > diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c > index b9980e8..a03c658 100644 > --- a/drivers/isdn/hardware/eicon/divasmain.c > +++ b/drivers/isdn/hardware/eicon/divasmain.c > @@ -614,6 +614,9 @@ static ssize_t divas_write(struct file *file, const char __user *buf, > case -3: > ret = -ENXIO; > break; > + case -4: > + ret = -EINVAL; > + break; > } > DBG_TRC(("write: ret %d", ret)); > return (ret); > -- > 2.7.4 >