Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3513074pxb; Mon, 4 Apr 2022 19:25:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWN/tEkzs8Pg0HUGJX4vPY6w1jmR9OkZVNfAUWOBEsZfo/mP+un7uI1XNyk1RkinanAK// X-Received: by 2002:a63:ce45:0:b0:399:1124:fbfe with SMTP id r5-20020a63ce45000000b003991124fbfemr993959pgi.542.1649125533329; Mon, 04 Apr 2022 19:25:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649125533; cv=none; d=google.com; s=arc-20160816; b=VIcqu38+lg2pZat/aMPt2YvUrKG0PNEN4dR7MfCkxSAgzVK53kPz1/l9txtYksUk0V q1XO88mPNXU67eIHBewD2bfBaHfAbqUx7zL1mfeKyRbdeUklRDFMmCv/J8pV+9FTmbiy F2qF/U9ucUsykY3IgmM+Uxw9BUVa8X5tX4yVI8g5TzX+/PwG65i4pPV50WW9s+Df8nb1 D8CkFv3VUVJaWuzLZW9A03zzAMUGUQRTS6wYiKMKXYdwk0qzEQdDny9HkuyLAmjgV+w1 Xvdx+YF1kcEYsREitUYGT0CSUuon0Y+AkDj2PVxroO1BjI1yXBLyj2pWJu90/JeXNWJu X0og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=CY8co6zLoJicSSTdTG7P7CnL9vdcUOUon6nJKQn1QZI=; b=vgRcNJoizhTEuTzTF5X6dGcMOdFAIPUxjUGOgMuOOhfFHVUKW3eRf3Giwk9VwIRvPB I3OgwN+Wl/hArciyEYZ/VAFn7CZ50V+D4LWPesIaTgA6lehxXtf4M/Lz4Scpoz/v9/N3 NROhK7dcoM5hG47DPprpRUToiGBCTJ7OQbiZYXt/rOcpUZtm2nFwUadp02n/G2jxf1Nx Bmp9hwNXtwq26tE4Es6mlUKSnaCIsoJCaoaEzcOV5Q2PmIRZ0BMrjFT3ZWJS7JAG9Q99 cmY+yEeex2f2Cxuz4jCfvWM2mH8nktMFJMYTrxZTxCzxHW1SIGOHrYZSPbUhduGOb6Pc 7PVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="P5KGhA/2"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id l5-20020a056a0016c500b004fa6a155d5esi12318896pfc.128.2022.04.04.19.25.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 19:25:33 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="P5KGhA/2"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AAAF62D7074; Mon, 4 Apr 2022 17:47:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378094AbiDDOkr (ORCPT + 99 others); Mon, 4 Apr 2022 10:40:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377994AbiDDOjD (ORCPT ); Mon, 4 Apr 2022 10:39:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 622C93F88E for ; Mon, 4 Apr 2022 07:36:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C76F2B817DC for ; Mon, 4 Apr 2022 14:36:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 165FCC2BBE4; Mon, 4 Apr 2022 14:36:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649082984; bh=73qqUvZ/VQr/pWfWdhrhsVcUa7yrkg0XCAGXIPOUfDk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=P5KGhA/2BqUP1zD/DGNonn6yNZH5xmdobFP3PVt3Rbt9oyX3ANm7ArHHjWwsXEKY+ EgLiBJOG2J5kxB1TBwcc1lFIFT2sTCPweTBqAMJa6IblsCJ8FyTCxqgiki4n4OYQEy 6KVI14qtuHgedDKfR5tUiyKCWuL+js/S8LJumMxw= Date: Mon, 4 Apr 2022 16:36:21 +0200 From: Greg KH To: "Fabio M. De Francesco" Cc: Dan Carpenter , Charlie Sands , Larry.Finger@lwfinger.net, phil@philpotter.co.uk, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, paskripkin@gmail.com Subject: Re: [PATCH V2] Fix unsafe memory access by memcmp Message-ID: References: <4729027.31r3eYUQgx@leap> <20220404120332.GY3293@kadam> <1890716.PYKUYFuaPT@leap> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1890716.PYKUYFuaPT@leap> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 04, 2022 at 04:29:48PM +0200, Fabio M. De Francesco wrote: > On luned? 4 aprile 2022 14:03:32 CEST Dan Carpenter wrote: > > On Mon, Apr 04, 2022 at 01:25:37PM +0200, Fabio M. De Francesco wrote: > > > On luned? 4 aprile 2022 12:50:41 CEST Dan Carpenter wrote: > > > > On Sun, Apr 03, 2022 at 10:52:07PM -0400, Charlie Sands wrote: > > > > > This patch fixes sparse warnings about the memcmp function unsafely > > > > > accessing userspace memory without first copying it to kernel space. > > > > > > > > > > Signed-off-by: Charlie Sands > > > > > --- > > > > > > > > > > V2: Fixed checkpatch.pl warning and changed variable name as suggested > > > > > by Greg K. H. and improved error checking on the "copy_from_user" function as > > > > > suggested by Pavel Skripkin. > > > > > > > > > > drivers/staging/r8188eu/os_dep/ioctl_linux.c | 21 ++++++++++++-------- > > > > > 1 file changed, 13 insertions(+), 8 deletions(-) > > > > > > > > > > diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > > index 7df213856d66..4b4eec2bde96 100644 > > > > > --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > > +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > > @@ -3233,23 +3233,28 @@ static int rtw_p2p_get(struct net_device *dev, > > > > > struct iw_request_info *info, > > > > > union iwreq_data *wrqu, char *extra) > > > > > { > > > > > - if (!memcmp(wrqu->data.pointer, "status", 6)) { > > > > > + char wrqu_data[9]; > > > > > + > > > > > + if (copy_from_user(wrqu_data, wrqu->data.pointer, 9) != 0) > > > > > + return 0; > > > > > > > > return -EFAULT; We can't assume that that user wants to copy 9 bytes > > > > especially when they're passing a 4 character + NUL string. > > > > > > > > This is a custom ioctl. Called from ioctl_private_iw_point(). > > > > > > > > I think if you try to dereference a user pointer like this then it will > > > > cause a crash, right? So that means no one has ever tested or used this > > > > code and we hopefully we can just delete it? > > > > > > After a quick look, I'm pretty confident that we can also delete > > > rtw_p2p_get2() and rtw_p2p_set() unless I'm overlooking something. > > > > What are the problems with rtw_p2p_get2() and rtw_p2p_set()? > > > > regards, > > dan carpenter > > > Is it safe to access user space pointers without using proper helpers? No.