Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3113269imd; Mon, 29 Oct 2018 01:45:11 -0700 (PDT) X-Google-Smtp-Source: AJdET5dm3i4MqRhebdiKarPr2M9rOMUC+ddoijhuwRoFN4v0+9JabocsvThcMnZg+czaa2g5NMOu X-Received: by 2002:a62:f94b:: with SMTP id g11-v6mr4361035pfm.244.1540802711719; Mon, 29 Oct 2018 01:45:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540802711; cv=none; d=google.com; s=arc-20160816; b=OG0GwEWTuRV/EtBYOIEp1zUctEsLW8lj43smPnvJO0iDaxcmcWdjFuI3uy7KHXly0w AvjBt8L4KbkFKqPkqKHxxuuErXOyChwMatDJ20FzDsbLQbauzmDKDtLBp/qRi78sgSsm kbAqEnCIkvgtIhzBXVuICvUliVxH6Ea31z/u7qFqBUAbwxft20lA+kCK6CeNnuIc7DfA 3YQXqlMxVKa6Tq473rlExRjHNv88oF1v1up+kLANK+eUes20cvs/o8gX7KJdkueZR3Fv UzlxjGzHw36PXdgirV8cgI42SApTFlY9AwroyPJTeRldYixpaM7JP0ESlpCxyNUb6aPW vWvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=5ajumEsASgZT9eBRHK4nLQlcsQovJ+/WEFGfGS0sTCw=; b=j7cj59Q3Q1m1Z57Ey6mQ1ZppP6SylowUXfahUfTEtOHEm8WFTprXeklM6xhGPdFSWR lELV0poXAwm92qp+Y5RPkEWUQXGDbXeB0WG/DtgJrE9F03zknxjgutyWUQRSVjhCted5 LmrI6tIFFXwfho/F5vtQXw416tURe5vvSPGa496VrwmafqkQmmpcHDCS7DlAxcWcsIvk ktpEZIskaSjJtvjg9W1pj7fy6BGkGPa9WbLLOPu8PvOdbX6HmdTQ/xfStMbMR8DpTbKy FzPc+vBh9S8y1c7C+sk42gI+HOE46tjfLjHjugGCdTv8QkKR2oTSqimFsWr6mbR1lCN9 hD2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w5-v6si9937310pfl.241.2018.10.29.01.44.55; Mon, 29 Oct 2018 01:45:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729427AbeJ2RcH (ORCPT + 99 others); Mon, 29 Oct 2018 13:32:07 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:40894 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725969AbeJ2RcG (ORCPT ); Mon, 29 Oct 2018 13:32:06 -0400 Received: by mail-ed1-f65.google.com with SMTP id z12-v6so743238edp.7 for ; Mon, 29 Oct 2018 01:44:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=5ajumEsASgZT9eBRHK4nLQlcsQovJ+/WEFGfGS0sTCw=; b=q8lodT4A63JILnWLgt2QiAd8LJc2LSFApSwEdxoADS6t4xxEPh6/NxQ6934ui2AoCc gnKhLJnVffbspyTcpcclvdieL6nqjoh9FVe8Hpp2xqjMEtL9drVzhkayRdlQWNmQI2Ti 3EyPO9Dk2dTlRQQip0Sj6Qu9zzmUut/WxkSM4awTLPQFXLZNRCMmecEI0f7+ZsKtRo90 nme/ld87St3h3GByOdgoLia3WgMvp+vF37CO0MtyovOjS3xpEMMWS0fS5S2M7HhKuHtl EFUKcWNCBBTVjkczExSnIjuRWq//mTw0FK8/5cqFyRVDL48roUxV1+c6YGD0QZwBjGVw ARJg== X-Gm-Message-State: AGRZ1gLtvQmOribWb0P1zgYRs2Cf+v0hCJNRO0hGwgEfSQwzhhdzWDEM OS0SzB7DRj4DastXWocz4gBYZS4U X-Received: by 2002:a50:ca47:: with SMTP id e7-v6mr12711139edi.56.1540802665677; Mon, 29 Oct 2018 01:44:25 -0700 (PDT) Received: from linux-x5ow.site (nat.nue.novell.com. [2620:113:80c0:5::2222]) by smtp.gmail.com with ESMTPSA id l52-v6sm6574375edc.10.2018.10.29.01.44.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Oct 2018 01:44:24 -0700 (PDT) Subject: Re: [PATCH] mcb: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , open list References: <1539961894-11928-1-git-send-email-wang6495@umn.edu> From: Johannes Thumshirn Message-ID: <5d09862f-e903-169e-9b11-310d4a1fd01c@kernel.org> Date: Mon, 29 Oct 2018 09:44:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1539961894-11928-1-git-send-email-wang6495@umn.edu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Wenwen, Sorry for the late reply: On 19/10/18 17:11, Wenwen Wang wrote: > In chameleon_parse_cells(), to parse each cell, the descriptor type 'dtype' > is acquired from the IO memory region pointed by 'p' through readl() in > get_next_dtype(). Then 'dtype' is checked to see whether it is > CHAMELEON_DTYPE_GENERAL. If yes, chameleon_parse_gdd() is invoked to parse > Chameleon general device descriptor. In chameleon_parse_gdd(), the data in > the IO memory region is read again through readl() field by field. > Specifically, the 'reg1' field contains the type information. That means > the type is read twice. More importantly, no check is re-enforced after the > second read. Given that the IO memory region can also be accessed by the > device, it is possible that a malicious device controlled by an attacker > can modify the type information between the two reads. This can cause > undefined behavior of the kernel and introduce potential security risk. Yes but this doesn't really mitigate the problem, does it? If a malicious attacker controlling the MMIO space can change the register contents after the first read, what stops him/her from doing it after the second, third, 4096th read? > > reg1 = readl(&gdd->reg1); > + if ((reg1 >> 28) != CHAMELEON_DTYPE_GENERAL) { > + ret = -EINVAL; > + goto err; > + } Just an advice for your next submission, give that 'magic' 28 a define (like CHAMELEON_DTYPE_SHIFT or whatever), this makes the code nicer to read.