Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3613350rwd; Sat, 3 Jun 2023 08:24:52 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5BcMoftQeNNi9OkTxotwba4GCw0OngE1MtpocAk3bQxF4K1iNks9a5Ckcuz3Fll3z6lm1e X-Received: by 2002:a05:6a20:a18e:b0:10e:2fd5:5106 with SMTP id r14-20020a056a20a18e00b0010e2fd55106mr473897pzk.35.1685805892037; Sat, 03 Jun 2023 08:24:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685805892; cv=none; d=google.com; s=arc-20160816; b=TFMINXHC+PKDHIM7qVclMvyMVhcEPftk4VxqRb5dBpSZ5T7Dz34BhtS59CfElvT0IG 3qHMsN5ueRjuTAeMstNCrQfbWgVSImczrG2oG2Y8gWQMzYb44ylLTWUe5SlWiZnBUHNd ns0c9Ae6lk4jpZ7RPUaFyhBwbSzl0NDewXwNAg5N49YA91U8+NTc2HowPGQAXFoXA/y4 6lNXbRBJJEv6RrrkV36zEc8oDQgcILGLrIUSBDI3OtpwsE6HT9jXPT8y8ytQdaF/fvrz Pr1qekfBctlvnoScGihBCQRj+zrYOPdxT0phm+V0yzjA9XHPuPoosnrTWTqJ3TXfcHf7 V3bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :feedback-id:dkim-signature:dkim-signature; bh=SGVGhCOi3wbBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=TLq/r9AnPqu9LSAECweeMZrcK7qyPZW3h169CH+WfIc0Ss0xnYivATgZBQGhni53kn gIvbXZYlpDhqDRt88d7HJN1ifQvb9mBzwsxxyXhSub2dg8L+R9D6bWnyLlzPedqN+2wj b6AyLe/8ZE5TjHBxLA9/JVfgUwCyWUOZs+xfAxSlR0nYrCObrrMBiPaDgpqbnVyeeXxz QnoZF691CbmxHOt8uCLufRlfb3TUmzJOORE/GOymjtd4Q7KNpOz5vxQcUYgosoTSLjG/ XIZRalkHrawfJgmI2MheYchjAOP/4bwGtwW35cpVDhgyh9yNYO3paU22uchYc98dByLf RCdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@invisiblethingslab.com header.s=fm1 header.b=Jp89MgG4; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=UkziZXYY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x4-20020a636304000000b00542897dcc22si2761782pgb.516.2023.06.03.08.24.37; Sat, 03 Jun 2023 08:24:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@invisiblethingslab.com header.s=fm1 header.b=Jp89MgG4; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=UkziZXYY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237102AbjFCOx1 (ORCPT + 99 others); Sat, 3 Jun 2023 10:53:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60842 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230216AbjFCOxU (ORCPT ); Sat, 3 Jun 2023 10:53:20 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35E5318D; Sat, 3 Jun 2023 07:53:19 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A327A5C0159; Sat, 3 Jun 2023 10:53:18 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685803998; x=1685890398; bh=SGVGhCOi3w bBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=Jp89MgG4yUz6UPx66J59ThD/Bv 3ZmoZxMs4OXV2lcM3NtGZ1+UwTxPbybEYji7PBUqV0YDPubWeHhoApOzzqgRunbx u/qf3o3FIUR7HBbfc7NkBLmBiEXcUzLwK/320g73bLp5ay2ZIWznc1FYUb3MSFtl 59VocK8gNlxmhjSUSAZfrTNpmmx56seI0FFOELKYP+IWK4GOvswszANk66ngrsDG CyejlAATPIaaQkQzp88yGgiT6wFnN1mXxmZPe4XJJJGnH8ZrkvF2NZx2jJKjNeY9 RR+AXGW+9HkZ3B8ek24czu+OkLOSH0RQS7TltXzpejPZiiohWxhF7DvT2UFg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803998; x= 1685890398; bh=SGVGhCOi3wbBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=U kziZXYYR49LS1/JS1PPJU3ZfdZdjsPIGAHpa1LSgkDMjoiXcnVMZMDTuW0VVTEc7 Lf8QpJlAPv5+mQ165EPrrifFO1xdZr1ZeetZex2wKPImB2PPgPNE/k34wH4zIXiY RRJeW0O+OmNb0kamWKXl0CvoraCZuEdkiU35/mOAWXP9fMaC5riJxe0vE9+gzV+I uYfAbfwAgR8OeqlS9S5vhOscLXpBMdP2lI09LLqJtKiYjmxcbzT7sAZ6MZJeRGzt qxCFZbUW0jNtN286djwYT5SzDreLZNhjc4VUfwapiXizqb/ZXMZjNnZuRC44C2pU /1QYevHp01cFM8KqW3LWg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepfeenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:17 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 4/6] device-mapper: Avoid double-fetch of version Date: Sat, 3 Jun 2023 10:52:42 -0400 Message-Id: <20230603145244.1538-5-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The version is fetched once in check_version(), which then does some validation and then overwrites the version in userspace with the API version supported by the kernel. copy_params() then fetches the version from userspace *again*, and this time no validation is done. The result is that the kernel's version number is completely controllable by userspace, provided that userspace can win a race condition. Fix this flaw by not copying the version back to the kernel the second time. This is not exploitable as the version is not further used in the kernel. However, it could become a problem if future patches start relying on the version field. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index da6ca26b51d0953df380582bb3a51c2ec22c27cb..7510afe237d979a5ee71afe87a20d49f631de1aa 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1873,30 +1873,33 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags) * As well as checking the version compatibility this always * copies the kernel interface version out. */ -static int check_version(unsigned int cmd, struct dm_ioctl __user *user) +static int check_version(unsigned int cmd, struct dm_ioctl __user *user, + struct dm_ioctl *kernel_params) { - uint32_t version[3]; int r = 0; - if (copy_from_user(version, user->version, sizeof(version))) + if (copy_from_user(kernel_params->version, user->version, sizeof(kernel_params->version))) return -EFAULT; - if ((version[0] != DM_VERSION_MAJOR) || - (version[1] > DM_VERSION_MINOR)) { + if ((kernel_params->version[0] != DM_VERSION_MAJOR) || + (kernel_params->version[1] > DM_VERSION_MINOR)) { DMERR("ioctl interface mismatch: kernel(%u.%u.%u), user(%u.%u.%u), cmd(%d)", DM_VERSION_MAJOR, DM_VERSION_MINOR, DM_VERSION_PATCHLEVEL, - version[0], version[1], version[2], cmd); + kernel_params->version[0], + kernel_params->version[1], + kernel_params->version[2], + cmd); r = -EINVAL; } /* * Fill in the kernel version. */ - version[0] = DM_VERSION_MAJOR; - version[1] = DM_VERSION_MINOR; - version[2] = DM_VERSION_PATCHLEVEL; - if (copy_to_user(user->version, version, sizeof(version))) + kernel_params->version[0] = DM_VERSION_MAJOR; + kernel_params->version[1] = DM_VERSION_MINOR; + kernel_params->version[2] = DM_VERSION_PATCHLEVEL; + if (copy_to_user(user->version, kernel_params->version, sizeof(kernel_params->version))) return -EFAULT; return r; @@ -1922,7 +1925,10 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern const size_t minimum_data_size = offsetof(struct dm_ioctl, data); unsigned int noio_flag; - if (copy_from_user(param_kernel, user, minimum_data_size)) + /* Version has been copied from userspace already, avoid TOCTOU */ + if (copy_from_user((char *)param_kernel + sizeof(param_kernel->version), + (char __user *)user + sizeof(param_kernel->version), + minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; if (param_kernel->data_size < minimum_data_size) { @@ -2034,7 +2040,7 @@ static int ctl_ioctl(struct file *file, uint command, struct dm_ioctl __user *us * Check the interface version passed in. This also * writes out the kernel's interface version. */ - r = check_version(cmd, user); + r = check_version(cmd, user, ¶m_kernel); if (r) return r; -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab