Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4998030imm; Fri, 18 May 2018 14:34:57 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo03oNeYLCjC67wtL6ShaQ9wfv6SLzxcCNz/SYqHt4BHWLG6ioNrz7MplLN9JdG5JA4WjNJ X-Received: by 2002:a17:902:598d:: with SMTP id p13-v6mr5760518pli.191.1526679297510; Fri, 18 May 2018 14:34:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526679297; cv=none; d=google.com; s=arc-20160816; b=lpD5YrePFN8JbuQaG6ARca93LqF2kMayn1T975QfsLYufCbpnWLGgA6yC2I+1OhpM6 UhR8oXQZ3035aVsfqKlXzEILrsht32fCZtUTWhHbzAPUC1SM5cVNf/my1CIxdcvKUZIz 1SQLCiATBOhfjet9q8Br7gmD90n/+o9e6UjYqXu/EbHy2rzledc634Nwn+yiA93OAgVL Xct/UJDqTOhFX7onGeVwGnna4kdV8/Ihg/O92NeP/VnPGzwJnYYdwk8lnkgbYtxVbi9m 5n/XPyboAi8hNk70+1srVSJdU01TNd1N3cYMHC3cGrgxWZIMA1tUJ0KlAMQYdCJHV34T FQVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=YlQ9x+XFQYhHwTbeqCk38kTOfgSWhcAegWWkQKbZ58M=; b=fgRgOwuOFfmCOrOFCc1QIl4U6LkCB8vUkDMYOE8gkmaRSRZTWhzsJzvm/PlJovV0jr L8A7niKwzvNAYpW8gabvIxqfGJIoKzPJ3QRuqjLqDpuZpD8ZQgo/hBZztkNhPFIgn2So eXN351c/EsaK88UO/lK/pgDwpxk3/iMo1dnnjNNCqAijnKyghbSoF43vkQYufiP44flo yxSSf36zLMuGrWxWulRqdh/uNl3Y4fZiOQotI6rcktzyMEKSaE7tuY9dEipTekqJe38+ v7+HzO5rah3Hh8UhDyHOHU6X00fBM97+Tl+5ThwoalMc1AJTwC7//qgVM3AFp1BFcvL3 Y8lA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I5Gk6gww; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si7950569plt.258.2018.05.18.14.34.42; Fri, 18 May 2018 14:34:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I5Gk6gww; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752244AbeERVeI (ORCPT + 99 others); Fri, 18 May 2018 17:34:08 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:39276 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751747AbeERVeF (ORCPT ); Fri, 18 May 2018 17:34:05 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id EE20AD89 for ; Fri, 18 May 2018 21:34:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9cYy9wNyN0P for ; Fri, 18 May 2018 16:34:04 -0500 (CDT) Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id B55EAD29 for ; Fri, 18 May 2018 16:34:04 -0500 (CDT) Received: by mail-io0-f199.google.com with SMTP id t9-v6so6329333ioa.2 for ; Fri, 18 May 2018 14:34:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=YlQ9x+XFQYhHwTbeqCk38kTOfgSWhcAegWWkQKbZ58M=; b=I5Gk6gwwIR5NqJylaw5pU39PYo7reaTu5KYPNxINhAZ8bBmfJ9x2zU5gJnPNORlpvb jOtKTKvxJL66/QywHqq+HbEQfjGNN3rMMTpyyb8gdazFBdH0eiLfzDxsICjt8S2VFPdi T4+6up1s0NBR9iWK31AKUspJL99cZsI2a9CXpzMSqNRHMVX+6KVT4GARyIpY7aIgV+p6 4oaFQ+cwb1jXosDpnLQj92DoX51/f3W+mV45sqn8HaGia1zoPpMAmBsIU75pca4PYlsU GzsTzVIpMFTn1MHydySKxWd7UUIoYFl66uGqtLnxZ9gSz0P9+wbpnLs1g7On3SrdW037 MMkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=YlQ9x+XFQYhHwTbeqCk38kTOfgSWhcAegWWkQKbZ58M=; b=ZHUCYfmvljSlfJz1Ne0a/wpyFY6vEyBxd2wvFiB16WyOhN2tV+3Q2A/py860tzGH9A fCdStAv1g1Xi1csUJVOrpSIGw4vvzYSuWl6EzDYLN5vEuLN9kfvesJ9dlMQGQvraa9xK 8RqMl7esBJuDHSUixOYB/6LY0dS7ue4tWFqN+NPmXD3LRjvejCcItVFzIQjpFtoshhPg 7BfqAfxGxKdVpoGe/+g2yEJMiGk8a/AB6reBya84ER5HuQXHypXxA+0NJt3X9IFzVWDB 4ikmW3Poq+K8dwrqWpVcDleBAZaX0GndpZ9GAdaqzofW11IOaYT2fB1HhyKwWGCz9GXG CRLQ== X-Gm-Message-State: ALKqPwcfwPQjDlpTqoid+Rz808O0hOB2VFYBevgqoNvlrF69RuvT7ceA 2P2rkA9KxuX65goiRPM+T7OpqcEfLEExxXeS0+x/8eHDiLi0azEjsz0crk5KgUHnU0yRkd8jXof xT/HQBiMNo1Crq2if7APQV2I5wyVb X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr8936762itf.60.1526679244386; Fri, 18 May 2018 14:34:04 -0700 (PDT) X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr8936747itf.60.1526679244138; Fri, 18 May 2018 14:34:04 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e89-v6sm5245147itd.12.2018.05.18.14.34.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 18 May 2018 14:34:03 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Armin Schindler , Karsten Keil , netdev@vger.kernel.org (open list:ISDN SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] isdn: eicon: fix a missing-check bug Date: Fri, 18 May 2018 16:33:47 -0500 Message-Id: <1526679228-1596-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In divasmain.c, the function divas_write() firstly invokes the function diva_xdi_open_adapter() to open the adapter that matches with the adapter number provided by the user, and then invokes the function diva_xdi_write() to perform the write operation using the matched adapter. The two functions diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c. In diva_xdi_open_adapter(), the user command is copied to the object 'msg' from the userspace pointer 'src' through the function pointer 'cp_fn', which eventually calls copy_from_user() to do the copy. Then, the adapter number 'msg.adapter' is used to find out a matched adapter from the 'adapter_queue'. A matched adapter will be returned if it is found. Otherwise, NULL is returned to indicate the failure of the verification on the adapter number. As mentioned above, if a matched adapter is returned, the function diva_xdi_write() is invoked to perform the write operation. In this function, the user command is copied once again from the userspace pointer 'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as both of them are from the 'buf' pointer in divas_write(). Similarly, the copy is achieved through the function pointer 'cp_fn', which finally calls copy_from_user(). After the successful copy, the corresponding command processing handler of the matched adapter is invoked to perform the write operation. It is obvious that there are two copies here from userspace, one is in diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of these two copies share the same source userspace pointer, i.e., the 'buf' pointer in divas_write(). Given that a malicious userspace process can race to change the content pointed by the 'buf' pointer, this can pose potential security issues. For example, in the first copy, the user provides a valid adapter number to pass the verification process and a valid adapter can be found. Then the user can modify the adapter number to an invalid number. This way, the user can bypass the verification process of the adapter number and inject inconsistent data. This patch reuses the data copied in diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the above issues can be avoided. Signed-off-by: Wenwen Wang --- drivers/isdn/hardware/eicon/diva.c | 20 +++++++++++++------- drivers/isdn/hardware/eicon/diva.h | 5 +++-- drivers/isdn/hardware/eicon/divasmain.c | 18 +++++++++++------- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c index 944a7f3..fa239d8 100644 --- a/drivers/isdn/hardware/eicon/diva.c +++ b/drivers/isdn/hardware/eicon/diva.c @@ -388,10 +388,9 @@ void divasa_xdi_driver_unload(void) ** Receive and process command from user mode utility */ void *diva_xdi_open_adapter(void *os_handle, const void __user *src, - int length, + int length, diva_xdi_um_cfg_cmd_t *msg, divas_xdi_copy_from_user_fn_t cp_fn) { - diva_xdi_um_cfg_cmd_t msg; diva_os_xdi_adapter_t *a = NULL; diva_os_spin_lock_magic_t old_irql; struct list_head *tmp; @@ -401,21 +400,21 @@ void *diva_xdi_open_adapter(void *os_handle, const void __user *src, length, sizeof(diva_xdi_um_cfg_cmd_t))) return NULL; } - if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) { + if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) { DBG_ERR(("A: A(?) open, write error")) return NULL; } diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter"); list_for_each(tmp, &adapter_queue) { a = list_entry(tmp, diva_os_xdi_adapter_t, link); - if (a->controller == (int)msg.adapter) + if (a->controller == (int)msg->adapter) break; a = NULL; } diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter"); if (!a) { - DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter)) + DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter)) } return (a); @@ -437,7 +436,8 @@ void diva_xdi_close_adapter(void *adapter, void *os_handle) int diva_xdi_write(void *adapter, void *os_handle, const void __user *src, - int length, divas_xdi_copy_from_user_fn_t cp_fn) + int length, diva_xdi_um_cfg_cmd_t *msg, + divas_xdi_copy_from_user_fn_t cp_fn) { diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter; void *data; @@ -459,7 +459,13 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, return (-2); } - length = (*cp_fn) (os_handle, data, src, length); + if (msg) { + *(diva_xdi_um_cfg_cmd_t *)data = *msg; + length = (*cp_fn) (os_handle, (char *)data + sizeof(*msg), + src + sizeof(*msg), length - sizeof(*msg)); + } else { + length = (*cp_fn) (os_handle, data, src, length); + } if (length > 0) { if ((*(a->interface.cmd_proc)) (a, (diva_xdi_um_cfg_cmd_t *) data, length)) { diff --git a/drivers/isdn/hardware/eicon/diva.h b/drivers/isdn/hardware/eicon/diva.h index b067032..eb454c5 100644 --- a/drivers/isdn/hardware/eicon/diva.h +++ b/drivers/isdn/hardware/eicon/diva.h @@ -20,10 +20,11 @@ int diva_xdi_read(void *adapter, void *os_handle, void __user *dst, int max_length, divas_xdi_copy_to_user_fn_t cp_fn); int diva_xdi_write(void *adapter, void *os_handle, const void __user *src, - int length, divas_xdi_copy_from_user_fn_t cp_fn); + int length, diva_xdi_um_cfg_cmd_t *msg, + divas_xdi_copy_from_user_fn_t cp_fn); void *diva_xdi_open_adapter(void *os_handle, const void __user *src, - int length, + int length, diva_xdi_um_cfg_cmd_t *msg, divas_xdi_copy_from_user_fn_t cp_fn); void diva_xdi_close_adapter(void *adapter, void *os_handle); diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c index b9980e8..b6a3950 100644 --- a/drivers/isdn/hardware/eicon/divasmain.c +++ b/drivers/isdn/hardware/eicon/divasmain.c @@ -591,19 +591,22 @@ static int divas_release(struct inode *inode, struct file *file) static ssize_t divas_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { + diva_xdi_um_cfg_cmd_t msg; int ret = -EINVAL; if (!file->private_data) { file->private_data = diva_xdi_open_adapter(file, buf, - count, + count, &msg, xdi_copy_from_user); - } - if (!file->private_data) { - return (-ENODEV); + if (!file->private_data) + return (-ENODEV); + ret = diva_xdi_write(file->private_data, file, + buf, count, &msg, xdi_copy_from_user); + } else { + ret = diva_xdi_write(file->private_data, file, + buf, count, NULL, xdi_copy_from_user); } - ret = diva_xdi_write(file->private_data, file, - buf, count, xdi_copy_from_user); switch (ret) { case -1: /* Message should be removed from rx mailbox first */ ret = -EBUSY; @@ -622,11 +625,12 @@ static ssize_t divas_write(struct file *file, const char __user *buf, static ssize_t divas_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { + diva_xdi_um_cfg_cmd_t msg; int ret = -EINVAL; if (!file->private_data) { file->private_data = diva_xdi_open_adapter(file, buf, - count, + count, &msg, xdi_copy_from_user); } if (!file->private_data) { -- 2.7.4