Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1726381imm; Sat, 6 Oct 2018 09:09:19 -0700 (PDT) X-Google-Smtp-Source: ACcGV61P6uaFjl7oPij4SrFQNjRd+MFBFjs0WHjVK6LHtou4DT846HryLA/vTB6vlCGe1k3EXlC1 X-Received: by 2002:a62:c186:: with SMTP id i128-v6mr17309121pfg.248.1538842159050; Sat, 06 Oct 2018 09:09:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538842159; cv=none; d=google.com; s=arc-20160816; b=M/6Ws0KWNNSbVXw2br3pxM/vfZc1jTnAMFl0asWWFDPqvqoSy+2/Aq3BJOjmi52QEr GTV4jHhlGOCZtYyrSpT//dF7AQ37T/kNHapvtG3V8mlAdRaax/c/7TmgphpWunO+Q47N z6tUiXJVHjXBHyjLquw7WDl+f73XlLEuuxKF6bR54c7aNaODBN4fc8Q4wUUn530jc1Aa oy7mNnrK4q3qP0l21rYKybr922pwzNjjYRgqSF3sLD3ZflnPCIHxgoMCTwNNdm9ShWz4 wzeCpgvN60yhDxkncsQLfvHeBYhYZ0rbTWQnZwPmjSiGcTjjoBZlt4a/0VONOZAe0vTK SPMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=WSJTVJ0TLzuTsTNEy1WN/u44tdhSVKG6jXB1LUwC8ow=; b=cSmdit9PHgHsl/Ci1bP/ad8E63jjEj5HAeXI2LNREEkxZhDYjQ1BU68btF8unZWDOM aIi29KgPR5mpvv+gIE5O1BWYKypWJTdvlowzsdNmEmEgdU/vjuRFstUzYwghHwW1uSb5 joGwMr751BgV6p6iJgDuf8g6nvBYcrg2WBB6BJ4DJu+p8hfMuVxW2G3r0mQAiruEmiO3 dTbcc56hTWAhIppfBV0jDN4PKP2cOmMyAa3XMEehvz1ldc/Mb8MugAX3+pqkFirgSw7I bkSxIQxf9RQ/3H/k/2u13pLthfWjP5yW1UaEs/aWkOXudbc3+zcEKbPP9dBxG1O6xDbb 9yDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=bAw3fxoi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w134-v6si13695334pfd.55.2018.10.06.09.08.52; Sat, 06 Oct 2018 09:09:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=bAw3fxoi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727750AbeJFXMl (ORCPT + 99 others); Sat, 6 Oct 2018 19:12:41 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:58858 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725266AbeJFXMk (ORCPT ); Sat, 6 Oct 2018 19:12:40 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id DFD8211A3 for ; Sat, 6 Oct 2018 16:08:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8_ySsCUFMME for ; Sat, 6 Oct 2018 11:08:45 -0500 (CDT) Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id B2A371196 for ; Sat, 6 Oct 2018 11:08:45 -0500 (CDT) Received: by mail-io1-f71.google.com with SMTP id c21-v6so15193737ioi.14 for ; Sat, 06 Oct 2018 09:08:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=WSJTVJ0TLzuTsTNEy1WN/u44tdhSVKG6jXB1LUwC8ow=; b=bAw3fxoiy7D2exPDuGSpJVoioiM1OmMh4qGilFSk8NgMdD403bJRvpFt7Hao9plcHj Abgt5LirtVEpg6A+7h7//2f7yhClksoUfbN1uzwS+vdI/RGmx8uOzel+cJIj7RW+uxBG mG30wc0tf6U1JkrdE3DqOxd8T05chQp+xzkV2DNDL2J3vKMrMmn+G9ybgn3mmUBwyekN ZtZX0GhgMpx2Z20kzczBdaGqy8jnJbCkQr/QhIir1pJ4Uxzk7PI2J25+DSgHsm2gTAsG MKi2BFLZbQwVO4cwug9VqO0EkJC3rCsODdDYwNXujsIqBl5ox+/WuF3WyhHYp1MmUsQ6 zAiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=WSJTVJ0TLzuTsTNEy1WN/u44tdhSVKG6jXB1LUwC8ow=; b=WLT6+zS4kk+IYMNpOrPlavGIt89PY/IPc1bII0X/gYVNraXGtVmdqtNt0EGho0HRfC xSTHC7EzQAeiARvTnEzqEybczPgFi0zUcmUN8dDq47e1Lqp2lvI3CUgy5+aPucWOzVuS pR3dIJmDQwts2UChWq3V6i4YkcmCTUjUeq+DZTy4xyRzKbc2wwzo6szh6JhhMKfSKjJT ah8rJTfipiNBG2SMDa77gF6E92mh1q5iHr7IAzEUP8JeqGcZo0onxwRJaWEySfUx38SH 2wjkXehEdWp7jKgO5BMLU0jAAuConp1xvCVGTUQ0chtUmEN6B/wU5cMup1CPdWtu3sTx K/2g== X-Gm-Message-State: ABuFfog1R9rjc4jLgpzrtIBF9ncqRNTv4d6NXj3BBIgXZvY1z4ZooVjh 6rT6oGIwDSjpBQiKxDsI6/hzKPEDXJjlYw3kXz/tdVV/RvCRL641vrnYPA4YHE/qV0t1YfR6IYz Lv+sXy0Euh6BZBGaJoCnwD9dWj8bF X-Received: by 2002:a6b:5306:: with SMTP id h6-v6mr11121231iob.117.1538842125360; Sat, 06 Oct 2018 09:08:45 -0700 (PDT) X-Received: by 2002:a6b:5306:: with SMTP id h6-v6mr11121224iob.117.1538842125161; Sat, 06 Oct 2018 09:08:45 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id y11-v6sm2838557ioa.24.2018.10.06.09.08.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Oct 2018 09:08:44 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Julian Wiedmann , Ursula Braun , Martin Schwidefsky , Heiko Carstens , linux-s390@vger.kernel.org (open list:S390 NETWORK DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] s390/qeth: fix a missing-check bug Date: Sat, 6 Oct 2018 11:08:23 -0500 Message-Id: <1538842104-26018-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In qeth_snmp_command(), the length of the user request is firstly copied from the user-space buffer 'udata' to the kernel variable 'req_len' and checked to see whether it is too large. If the check fails, an error code EINVAL is returned. Otherwise, the execution continues and the whole buffer is copied again from 'udata' and saved to the kernel buffer 'ureq'. However, after the second copy, no re-check is enforced on the newly-copied request length. Given that the buffer 'udata' is in the user space, a malicious user can race to change the request length between the two copies. In this way, the attacker can supply malicious data to the kernel and cause undefined behavior. This patch adds a re-check on the request length after the second copy from the buffer 'udata'. If the newly-copied value is different from the value obtained in the first copy, i.e., 'req_len', an error code EINVAL will be returned after the buffer 'ureq' is freed. Signed-off-by: Wenwen Wang --- drivers/s390/net/qeth_core_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c index de82824..6199743 100644 --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -4613,6 +4613,10 @@ static int qeth_snmp_command(struct qeth_card *card, char __user *udata) QETH_CARD_TEXT(card, 2, "snmpnome"); return PTR_ERR(ureq); } + if (ureq->hdr.req_len != req_len) { + kfree(ureq); + return -EINVAL; + } qinfo.udata_len = ureq->hdr.data_len; qinfo.udata = kzalloc(qinfo.udata_len, GFP_KERNEL); if (!qinfo.udata) { -- 2.7.4