Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3161904imm; Sun, 7 Oct 2018 22:02:38 -0700 (PDT) X-Google-Smtp-Source: ACcGV63LYyOe19ECQKVYZMMP4mLFLT1JDyR8zqFyN2VAiz5+p/rqhsH7cRYpDH87w4kNnnl+6O85 X-Received: by 2002:a17:902:b287:: with SMTP id u7-v6mr22110529plr.123.1538974958926; Sun, 07 Oct 2018 22:02:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538974958; cv=none; d=google.com; s=arc-20160816; b=mkMH+RwgMHPUqw3qPmtsAuv4o1rTSm7NN/yvYFtxBZOq2hXD9a5cgAG+qm2tbgs6Qo QB8JR9c6xStKtNIdSMoUmIgm0H3I31BNd10UrbipmSh3F33ghoGcwj2dsh9o3z3wf3NR 1Ur4I6H/7nXgzi+KpXCVT0q1v/+LR6Ezy3uX2aHYmQA3t1mgI102ooaKveEy6Yr/HDcv 2eXZtdWfsPLqqXYdfMvg7qTKkd4nOszTtGmOBZ8fQTp24q6H6Oed3pWLKMn/B+ixxPtp EBsl7IP7wph5dpDGihXkTtIxJbCmC6GJJ0TkSl9iuRUxnviJyut5aSq0CdKsHYWDVtwM JTSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:message-id:in-reply-to:mime-version :references:subject:cc:to:from:date; bh=UlpRv77u2/tQ1rUxc0CX7OF1sAmDeiRkd4aZkSOz13U=; b=yDOqkpb9Y3alNVu6/hivgwwxNk3ZaWRRrlYoRqO/yvjnUR8quufoERBnyhN1/WtTqN NuVagR96sCPYofeS0QxZD7zRFAcfqcjKk0hq+uNOp2Ct1k1n8BTph8yMOGe2B/AIJLRH HcKMUCNocN6easnMQYkq8plQJqmdRQ2NakzaAnj86vEu1J4efcSaXtoTEausb73Ku6sc k6bKveBxxaRqpZtYGOLDOg8+j3UQg+FacAVvyMI5DqXcTP31tixLwLeVKaeMTQeK3/tN BQDatXZR6FGA73eYkX4/jhSJqQlWz6jodGiwsotOeHvCte4OQbFzbmbSKf0RBMhTsXa+ DmYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 127-v6si16158070pgj.25.2018.10.07.22.01.51; Sun, 07 Oct 2018 22:02:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726373AbeJHMLa (ORCPT + 99 others); Mon, 8 Oct 2018 08:11:30 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57958 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725946AbeJHMLa (ORCPT ); Mon, 8 Oct 2018 08:11:30 -0400 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w984wmbj109143 for ; Mon, 8 Oct 2018 01:01:41 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2myxnkd0h4-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 08 Oct 2018 01:01:41 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Oct 2018 06:01:38 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 8 Oct 2018 06:01:35 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w9851Xp164815146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 8 Oct 2018 05:01:33 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C0D14C044; Mon, 8 Oct 2018 08:01:11 +0100 (BST) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 57F2B4C058; Mon, 8 Oct 2018 08:01:11 +0100 (BST) Received: from osiris (unknown [9.152.212.171]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Mon, 8 Oct 2018 08:01:11 +0100 (BST) Date: Mon, 8 Oct 2018 07:01:30 +0200 From: Heiko Carstens To: Wenwen Wang Cc: Kangjie Lu , Julian Wiedmann , Ursula Braun , Martin Schwidefsky , "open list:S390 NETWORK DRIVERS" , open list Subject: Re: [PATCH] s390/qeth: fix a missing-check bug References: <1538842104-26018-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 In-Reply-To: <1538842104-26018-1-git-send-email-wang6495@umn.edu> X-TM-AS-GCONF: 00 x-cbid: 18100805-0028-0000-0000-00000303DA6D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18100805-0029-0000-0000-000023BE244B Message-Id: <20181008050130.GA4148@osiris> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-08_02:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=942 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810080051 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 06, 2018 at 11:08:23AM -0500, Wenwen Wang wrote: > In qeth_snmp_command(), the length of the user request is firstly copied > from the user-space buffer 'udata' to the kernel variable 'req_len' and > checked to see whether it is too large. If the check fails, an error code > EINVAL is returned. Otherwise, the execution continues and the whole buffer > is copied again from 'udata' and saved to the kernel buffer 'ureq'. > However, after the second copy, no re-check is enforced on the newly-copied > request length. Given that the buffer 'udata' is in the user space, a > malicious user can race to change the request length between the two > copies. In this way, the attacker can supply malicious data to the kernel > and cause undefined behavior. > > This patch adds a re-check on the request length after the second copy from > the buffer 'udata'. If the newly-copied value is different from the value > obtained in the first copy, i.e., 'req_len', an error code EINVAL will be > returned after the buffer 'ureq' is freed. > > Signed-off-by: Wenwen Wang > --- > drivers/s390/net/qeth_core_main.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c > index de82824..6199743 100644 > --- a/drivers/s390/net/qeth_core_main.c > +++ b/drivers/s390/net/qeth_core_main.c > @@ -4613,6 +4613,10 @@ static int qeth_snmp_command(struct qeth_card *card, char __user *udata) > QETH_CARD_TEXT(card, 2, "snmpnome"); > return PTR_ERR(ureq); > } > + if (ureq->hdr.req_len != req_len) { > + kfree(ureq); > + return -EINVAL; > + } ureq->hdr.req_len is not used anywhere in the code, so could you please explain what the undefined behavior is? You could argue that adding a second sanity check may help to avoid potential future bugs, but currently the code looks sane to me.