Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1884460imm; Tue, 22 May 2018 10:52:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrTvfzp1uO0XhGLt1/pfjW3P0yOtXhWW77kEZVg3MSrKQHDXe/uw4FPGlgVGtRew1eN+SGX X-Received: by 2002:a17:902:7008:: with SMTP id y8-v6mr25496404plk.141.1527011559785; Tue, 22 May 2018 10:52:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527011559; cv=none; d=google.com; s=arc-20160816; b=O6PkmrN4zJKX4iLtOM5F4nAeKSo94jQ9Lb/bOWsM2TZ75QtaUDiCKZbNzXImA2WFkl cSpyhMQM7pWTwfY0Vq2buVYeOjNasmyw501IznMylRvs8jnfwK0VR4iovySrqXeGuuEq 6YsB8k3yIlzS5WsGWu0cAQ5RCSGylW1RWb4pyLNttAy4XlTYrTKz6BFAV3LzxDaISd/N 0fWfXpDmCi9wdP4dWSluHltgRXN/8jy6eLiZo8y6FUAeiNWOKqJo9uJNZ0ZdI4UdedDn A5Y08WOZXlkUzj+F5pvKZRwYzPp8iyfypgY405je3IrgwhE456+UCRuRobYf8+EazTCx YkXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=1FNyEbMJeCAUP58oh+VYwC5Ptt6g/os/bJ//vWaZMjw=; b=Kud4c1kIVpzSfgKM3YjrbNIp/0Jmd8E7Ktg+vBZoolibhr4haPKLfDKmA3cPur9Egb owGYNPIPw5F+nX+MM2L+TiUgMFzVEj+XEVTphWCnM9DtTLXHJa1sOP08UfMeyGdoeNJN piLvQuhRI9sEYbsKdhJPrAvVQiGTZe83Q45KwkqX8IipUejzzOEay602go5cH2y0NmcU FgHS3tFMXXUG7ztWB/vSzpLWdtuaMRHNB70EkXkSTGomWinOfx6vTHq+QsZPEqVpTbOx M95WIX/rphSC7NOVsvJbsDeYJtjdtNXo2bBhJGlAR3yYLKTj7DUr/XUiDVqiN1ohp2ZG b0cg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u8-v6si2607235pgp.685.2018.05.22.10.52.24; Tue, 22 May 2018 10:52:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751788AbeEVRwD (ORCPT + 99 others); Tue, 22 May 2018 13:52:03 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:45368 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751443AbeEVRwB (ORCPT ); Tue, 22 May 2018 13:52:01 -0400 Received: from localhost (67.110.78.66.ptr.us.xo.net [67.110.78.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id E9512143818E1; Tue, 22 May 2018 10:52:00 -0700 (PDT) Date: Tue, 22 May 2018 13:52:00 -0400 (EDT) Message-Id: <20180522.135200.1524557376650201204.davem@davemloft.net> To: wang6495@umn.edu Cc: kjlu@umn.edu, mac@melware.de, isdn@linux-pingi.de, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] isdn: eicon: fix a missing-check bug From: David Miller In-Reply-To: <1526885887-9759-1-git-send-email-wang6495@umn.edu> References: <1526885887-9759-1-git-send-email-wang6495@umn.edu> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 22 May 2018 10:52:01 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang Date: Mon, 21 May 2018 01:58:07 -0500 > In divasmain.c, the function divas_write() firstly invokes the function > diva_xdi_open_adapter() to open the adapter that matches with the adapter > number provided by the user, and then invokes the function diva_xdi_write() > to perform the write operation using the matched adapter. The two functions > diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c. > > In diva_xdi_open_adapter(), the user command is copied to the object 'msg' > from the userspace pointer 'src' through the function pointer 'cp_fn', > which eventually calls copy_from_user() to do the copy. Then, the adapter > number 'msg.adapter' is used to find out a matched adapter from the > 'adapter_queue'. A matched adapter will be returned if it is found. > Otherwise, NULL is returned to indicate the failure of the verification on > the adapter number. > > As mentioned above, if a matched adapter is returned, the function > diva_xdi_write() is invoked to perform the write operation. In this > function, the user command is copied once again from the userspace pointer > 'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as > both of them are from the 'buf' pointer in divas_write(). Similarly, the > copy is achieved through the function pointer 'cp_fn', which finally calls > copy_from_user(). After the successful copy, the corresponding command > processing handler of the matched adapter is invoked to perform the write > operation. > > It is obvious that there are two copies here from userspace, one is in > diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of > these two copies share the same source userspace pointer, i.e., the 'buf' > pointer in divas_write(). Given that a malicious userspace process can race > to change the content pointed by the 'buf' pointer, this can pose potential > security issues. For example, in the first copy, the user provides a valid > adapter number to pass the verification process and a valid adapter can be > found. Then the user can modify the adapter number to an invalid number. > This way, the user can bypass the verification process of the adapter > number and inject inconsistent data. > > This patch reuses the data copied in > diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the > above issues can be avoided. > > Signed-off-by: Wenwen Wang Applied and queued up for -stable.