Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1770356imm; Mon, 3 Sep 2018 09:00:12 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYhtgr3fyWiKWfnnHLbStI4Qhlufa6ODWDiqxCNJvt12/LxW2Wvr9aaaPAekpeZK6JkjNb+ X-Received: by 2002:a63:e0e:: with SMTP id d14-v6mr12339607pgl.38.1535990412317; Mon, 03 Sep 2018 09:00:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535990412; cv=none; d=google.com; s=arc-20160816; b=W2TKCyoDigJ9p8O2rYFPpi4nkAICU+ZSjt5BNj9JxwB6PQ2hD1ipqthbPJwLBInZEV r86QRRKXzTAELH9VOgyk2+l28C1R0TraL2mKjFuDjIRNJP42fZHIPK0QzxPUmuwUy+iC CUZ3bdrO6dlb0936CGQewmJ5hl8DauSMiKRrPfztnbMqqMLAa8MUZVXjakTpxnhr0jUk UiVZS9beGqTSDNx9ArkDB1tn7QipuUxZXEU1Xz8OLYxUcoYEq5OUymaUXUaE74hNqhjN dKRPTzHk3LpO4JLfP6uq6VJpXGN/ewiKVZZCBAn7E7vj5DyTaehEAeTeyzxmEiGeaIYw tSyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=EnX+BQY6ul306UcbgPAw3DULIQqU5btIsQ9GZKiqgls=; b=wLy/Rwm485Q4Q2wcMDla2h00amDRH60P2qowwQU6uzRl/RDRMeisPUqEGotB8hZSZx r2f2icPrEDDH+AsAxoCKTW/vLaxTUx+Qjkb4pH2+QuO8Rwq08vGV8Nx1RHblfEBHorbf VzxIyiYAWACP0K7ZWj9bdj1HvuoQbSgCwH0zNDeWd/BUJVU6CQ5IdYg2wOCE1IwgySYs kPi8kF91K7AgFjn4gMMnNmXM8iAd1JWfCP03dr5TiFc44xUdfRFb+KRRsxI6/fEiWYDE ZvQZoNMT8SjKWXujP5Y064v+wRSWA6sfcvMVzKs1wad8Xf3+gcL5bdjI6bVP9mtclh97 0/jQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=3CleS88w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5-v6si4489699pga.294.2018.09.03.08.59.56; Mon, 03 Sep 2018 09:00:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=3CleS88w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727304AbeICUTh (ORCPT + 99 others); Mon, 3 Sep 2018 16:19:37 -0400 Received: from merlin.infradead.org ([205.233.59.134]:39124 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726864AbeICUTg (ORCPT ); Mon, 3 Sep 2018 16:19:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=EnX+BQY6ul306UcbgPAw3DULIQqU5btIsQ9GZKiqgls=; b=3CleS88w9koUgDDgXlUvWdOh7B PDvG/H5SZJt1eodm7m4NsZFaHFBn07Y53ZmTeaLJSOONqBOhAk0yvYYC5sKhH8X17e/2G/9yPMDTF qX+nkdovxHgnMqcsQzIkdw3t9uE8YQnNxgeb48u5r4WpCstO8v1v4aYzoJI1ocnJbpl4E0BJ4hZeb fwT71ksj2Xk2kFoWOVDhRlcRCdeynAKkZlPEa1IUl6xuF5kp60DFNLXtHsZKFyUPzf7VK3F5C46Or DaCC10uFzElhL1ciuBVBbUT38VDB0Tau0866FDAyoQb2pSDrZRzHNxV0xmULpFr8OOqzlszjMKkpF l2+pZHcA==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fwrFZ-0000Nu-4C; Mon, 03 Sep 2018 15:58:49 +0000 Subject: Re: [PATCH] firewire: nosy: don't read packets bigger than requested To: Jann Horn , stefanr@s5r6.in-berlin.de, linux1394-devel@lists.sourceforge.net Cc: kernel list References: <20180706151649.31119-1-jannh@google.com> From: Randy Dunlap Message-ID: Date: Mon, 3 Sep 2018 08:58:44 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/03/2018 08:55 AM, Jann Horn wrote: > On Fri, Jul 6, 2018 at 5:16 PM Jann Horn wrote: >> In general, accessing userspace memory beyond the length of the supplied >> buffer in VFS read/write handlers can lead to both kernel memory corruption >> (via kernel_read()/kernel_write(), which can e.g. be triggered via >> sys_splice()) and privilege escalation inside userspace. >> >> Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") >> Signed-off-by: Jann Horn >> --- >> No CC stable because this device shouldn't be available to unprivileged >> code by default and should be pretty rare. >> >> drivers/firewire/nosy.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c >> index a128dd1126ae..732075fc312e 100644 >> --- a/drivers/firewire/nosy.c >> +++ b/drivers/firewire/nosy.c >> @@ -161,11 +161,12 @@ packet_buffer_get(struct client *client, char __user *data, size_t user_length) >> if (atomic_read(&buffer->size) == 0) >> return -ENODEV; >> >> - /* FIXME: Check length <= user_length. */ >> - >> end = buffer->data + buffer->capacity; >> length = buffer->head->length; >> >> + if (length > user_length) >> + return -EINVAL; >> + >> if (&buffer->head->data[length] < end) { >> if (copy_to_user(data, buffer->head->data, length)) >> return -EFAULT; > > Ping. I sent this about two months ago, I haven't received a reply, > and from what I can tell, it hasn't landed in any tree so far... > :( I have that same problem with some Firewire documentation patches. I plan to ask someone else to merge my patches. -- ~Randy