Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2272966imm;
        Wed, 3 Oct 2018 00:57:41 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60zntdBNAtOSQ806C32tqkaDUuS36bMxjZ5L/89EmjkPKw37wp5sXfaGOEi6uvklAn3ccof
X-Received: by 2002:a65:47cb:: with SMTP id f11-v6mr284027pgs.166.1538553461224;
        Wed, 03 Oct 2018 00:57:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538553461; cv=none;
        d=google.com; s=arc-20160816;
        b=uxVdmkL9P4NBtiFFi6L2vo63Hl8F4n/tvN0CYRYG+Jn/lnEX7WjMXPTEjHQx4T37q+
         4hPIUtbU5Sno0BBeA9z51v4u82ZlCYwh19n3Jgef7+QAwQjfb0toDtq5u//KNiME0mU9
         tn3MYuEiedwFAXikwlx69XOiwqqKJhbnTlTJpXQYxjQU+5MKkbh3Pn90CIO2IE0xTaNK
         qO1ybYIpOOSvxUYnZCbRwpf7skF7PlPr62lJCrSMdAL8LmwWCcRtJuz3Vp2ozos5+6UC
         fKoE4X4zEmkDpbxWlj9hTFLiPjiSbCIDoSAJ7d1U5BmjBz1zq3GroHHwpOGhYwmGyQQB
         MZSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from;
        bh=ZZqz3p5as4pOLkxjY0UuNBoaJkCateqc6Qdd1hVLsAA=;
        b=GsRh9BcDu6xte5ZhzY+CXp4RHha+rgL2pi707PqPNokF3PSJA1Ba28tONqq1uSob64
         yS0civlqj+Pk0XqTVXX1DpyJLFDMGISDxl6UPZY8jcA14ZjeGcloizg/dDqQ5NRU/os9
         ysIQ3RyzmVzZS+zAcaNQqO7Ja7Zy1ECv+mE33EEAIWHc84wyo1DZ/qkg0h5L/f+L61bq
         4ntsUTvB021NxiN6fYyZI0KII+GlKuVAVu0duy9UWjKFJDKiJlVDNrr2sh0NZKA8O8sX
         U+FWJFaB9h1EpSxp1lpnVMeqL1FY3K8dgEx2pRp5PWjmfSupyTfHRXgLDUaTJuc3rWYd
         5RtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a186-v6si713971pge.55.2018.10.03.00.57.26;
        Wed, 03 Oct 2018 00:57:41 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727028AbeJCOo2 (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Wed, 3 Oct 2018 10:44:28 -0400
Received: from mga14.intel.com ([192.55.52.115]:65068 "EHLO mga14.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725951AbeJCOo2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Oct 2018 10:44:28 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Oct 2018 00:57:11 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,335,1534834800"; 
   d="scan'208";a="88749359"
Received: from um.fi.intel.com (HELO localhost) ([10.237.72.212])
  by orsmga003.jf.intel.com with ESMTP; 03 Oct 2018 00:56:41 -0700
From:   Alexander Shishkin <alexander.shishkin@linux.intel.com>
To:     Wenwen Wang <wang6495@umn.edu>, Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] stm class: fix a missing-check bug
In-Reply-To: <1538542259-11868-1-git-send-email-wang6495@umn.edu>
References: <1538542259-11868-1-git-send-email-wang6495@umn.edu>
Date:   Wed, 03 Oct 2018 10:56:40 +0300
Message-ID: <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Wenwen Wang <wang6495@umn.edu> writes:

> In stm_char_policy_set_ioctl(), the 'size' field of the struct
> 'stp_polic_id' is firstly copied from the user space and then checked,
> because the length of the 'id' field in this struct, which represents an
> identification string, is not fixed. If the 'size' field cannot pass the
> check, an error code EINVAL will be returned. However, after the check, the
> whole struct is copied again from the user space. Given that the user data
> resides in the user space, a malicious user-space process can race to
> change the size between the two copies. By doing so, the attacker can
> bypass the check on the 'size' field and inject malicious data.

How? The id->size is not used for anything.

And even if there was a problem, this:

> -	if (copy_from_user(id, arg, size)) {
> +	if (copy_from_user(&id->master, (char __user *)arg + sizeof(size),
> +				size - sizeof(size))) {

is completely pointless.

>  		ret = -EFAULT;
>  		goto err_free;
>  	}
>  
> +	id->size = size;

So, if we did use id->size after the copying, we'd indeed have this line
in the code. But since we don't, it's also pointless, so it's not there.

Thanks,
--
Alex