Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2272966imm; Wed, 3 Oct 2018 00:57:41 -0700 (PDT) X-Google-Smtp-Source: ACcGV60zntdBNAtOSQ806C32tqkaDUuS36bMxjZ5L/89EmjkPKw37wp5sXfaGOEi6uvklAn3ccof X-Received: by 2002:a65:47cb:: with SMTP id f11-v6mr284027pgs.166.1538553461224; Wed, 03 Oct 2018 00:57:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538553461; cv=none; d=google.com; s=arc-20160816; b=uxVdmkL9P4NBtiFFi6L2vo63Hl8F4n/tvN0CYRYG+Jn/lnEX7WjMXPTEjHQx4T37q+ 4hPIUtbU5Sno0BBeA9z51v4u82ZlCYwh19n3Jgef7+QAwQjfb0toDtq5u//KNiME0mU9 tn3MYuEiedwFAXikwlx69XOiwqqKJhbnTlTJpXQYxjQU+5MKkbh3Pn90CIO2IE0xTaNK qO1ybYIpOOSvxUYnZCbRwpf7skF7PlPr62lJCrSMdAL8LmwWCcRtJuz3Vp2ozos5+6UC fKoE4X4zEmkDpbxWlj9hTFLiPjiSbCIDoSAJ7d1U5BmjBz1zq3GroHHwpOGhYwmGyQQB MZSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=ZZqz3p5as4pOLkxjY0UuNBoaJkCateqc6Qdd1hVLsAA=; b=GsRh9BcDu6xte5ZhzY+CXp4RHha+rgL2pi707PqPNokF3PSJA1Ba28tONqq1uSob64 yS0civlqj+Pk0XqTVXX1DpyJLFDMGISDxl6UPZY8jcA14ZjeGcloizg/dDqQ5NRU/os9 ysIQ3RyzmVzZS+zAcaNQqO7Ja7Zy1ECv+mE33EEAIWHc84wyo1DZ/qkg0h5L/f+L61bq 4ntsUTvB021NxiN6fYyZI0KII+GlKuVAVu0duy9UWjKFJDKiJlVDNrr2sh0NZKA8O8sX U+FWJFaB9h1EpSxp1lpnVMeqL1FY3K8dgEx2pRp5PWjmfSupyTfHRXgLDUaTJuc3rWYd 5RtQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a186-v6si713971pge.55.2018.10.03.00.57.26; Wed, 03 Oct 2018 00:57:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727028AbeJCOo2 (ORCPT + 99 others); Wed, 3 Oct 2018 10:44:28 -0400 Received: from mga14.intel.com ([192.55.52.115]:65068 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725951AbeJCOo2 (ORCPT ); Wed, 3 Oct 2018 10:44:28 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Oct 2018 00:57:11 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,335,1534834800"; d="scan'208";a="88749359" Received: from um.fi.intel.com (HELO localhost) ([10.237.72.212]) by orsmga003.jf.intel.com with ESMTP; 03 Oct 2018 00:56:41 -0700 From: Alexander Shishkin To: Wenwen Wang , Wenwen Wang Cc: Kangjie Lu , open list Subject: Re: [PATCH] stm class: fix a missing-check bug In-Reply-To: <1538542259-11868-1-git-send-email-wang6495@umn.edu> References: <1538542259-11868-1-git-send-email-wang6495@umn.edu> Date: Wed, 03 Oct 2018 10:56:40 +0300 Message-ID: <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Wenwen Wang writes: > In stm_char_policy_set_ioctl(), the 'size' field of the struct > 'stp_polic_id' is firstly copied from the user space and then checked, > because the length of the 'id' field in this struct, which represents an > identification string, is not fixed. If the 'size' field cannot pass the > check, an error code EINVAL will be returned. However, after the check, the > whole struct is copied again from the user space. Given that the user data > resides in the user space, a malicious user-space process can race to > change the size between the two copies. By doing so, the attacker can > bypass the check on the 'size' field and inject malicious data. How? The id->size is not used for anything. And even if there was a problem, this: > - if (copy_from_user(id, arg, size)) { > + if (copy_from_user(&id->master, (char __user *)arg + sizeof(size), > + size - sizeof(size))) { is completely pointless. > ret = -EFAULT; > goto err_free; > } > > + id->size = size; So, if we did use id->size after the copying, we'd indeed have this line in the code. But since we don't, it's also pointless, so it's not there. Thanks, -- Alex