Commit 3ddc5b46 authored by Mathieu Desnoyers's avatar Mathieu Desnoyers Committed by Linus Torvalds
Browse files

kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 



I found the following pattern that leads in to interesting findings:

  grep -r "ret.*|=.*__put_user" *
  grep -r "ret.*|=.*__get_user" *
  grep -r "ret.*|=.*__copy" *

The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat,
since those appear in compat code, we could probably expect the kernel
addresses not to be reachable in the lower 32-bit range, so I think they
might not be exploitable.

For the "__get_user" cases, I don't think those are exploitable: the worse
that can happen is that the kernel will copy kernel memory into in-kernel
buffers, and will fail immediately afterward.

The alpha csum_partial_copy_from_user() seems to be missing the
access_ok() check entirely.  The fix is inspired from x86.  This could
lead to information leak on alpha.  I also noticed that many architectures
map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I
wonder if the latter is performing the access checks on every
architectures.

Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 20d0e570

arch/alpha/lib/csum_partial_copy.c

+5 −0
Original line number Diff line number Diff line
@@ -338,6 +338,11 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len, 
	unsigned long doff = 7 & (unsigned long) dst;



	if (len) {

		if (!access_ok(VERIFY_READ, src, len)) {

			*errp = -EFAULT;

			memset(dst, 0, len);

			return sum;

		}

		if (!doff) {

			if (!soff)

				checksum = csum_partial_cfu_aligned(

arch/sparc/kernel/sys_sparc32.c

+6 −6
Original line number Diff line number Diff line
@@ -169,10 +169,10 @@ COMPAT_SYSCALL_DEFINE5(rt_sigaction, int, sig, 
		new_ka.ka_restorer = restorer;

		ret = get_user(u_handler, &act->sa_handler);

		new_ka.sa.sa_handler =  compat_ptr(u_handler);

		ret |= __copy_from_user(&set32, &act->sa_mask, sizeof(compat_sigset_t));

		ret |= copy_from_user(&set32, &act->sa_mask, sizeof(compat_sigset_t));

		sigset_from_compat(&new_ka.sa.sa_mask, &set32);

		ret |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);

		ret |= __get_user(u_restorer, &act->sa_restorer);

		ret |= get_user(new_ka.sa.sa_flags, &act->sa_flags);

		ret |= get_user(u_restorer, &act->sa_restorer);

		new_ka.sa.sa_restorer = compat_ptr(u_restorer);

                if (ret)

                	return -EFAULT;
@@ -183,9 +183,9 @@ COMPAT_SYSCALL_DEFINE5(rt_sigaction, int, sig, 
	if (!ret && oact) {

		sigset_to_compat(&set32, &old_ka.sa.sa_mask);

		ret = put_user(ptr_to_compat(old_ka.sa.sa_handler), &oact->sa_handler);

		ret |= __copy_to_user(&oact->sa_mask, &set32, sizeof(compat_sigset_t));

		ret |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);

		ret |= __put_user(ptr_to_compat(old_ka.sa.sa_restorer), &oact->sa_restorer);

		ret |= copy_to_user(&oact->sa_mask, &set32, sizeof(compat_sigset_t));

		ret |= put_user(old_ka.sa.sa_flags, &oact->sa_flags);

		ret |= put_user(ptr_to_compat(old_ka.sa.sa_restorer), &oact->sa_restorer);

		if (ret)

			ret = -EFAULT;

        }

block/compat_ioctl.c

+1 −1
Original line number Diff line number Diff line
@@ -70,7 +70,7 @@ static int compat_hdio_getgeo(struct gendisk *disk, struct block_device *bdev, 
		return ret;



	ret = copy_to_user(ugeo, &geo, 4);

	ret |= __put_user(geo.start, &ugeo->start);

	ret |= put_user(geo.start, &ugeo->start);

	if (ret)

		ret = -EFAULT;

kernel/signal.c

+2 −2
Original line number Diff line number Diff line
@@ -3394,7 +3394,7 @@ COMPAT_SYSCALL_DEFINE4(rt_sigaction, int, sig, 
		new_ka.sa.sa_restorer = compat_ptr(restorer);

#endif

		ret |= copy_from_user(&mask, &act->sa_mask, sizeof(mask));

		ret |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);

		ret |= get_user(new_ka.sa.sa_flags, &act->sa_flags);

		if (ret)

			return -EFAULT;

		sigset_from_compat(&new_ka.sa.sa_mask, &mask);
@@ -3406,7 +3406,7 @@ COMPAT_SYSCALL_DEFINE4(rt_sigaction, int, sig, 
		ret = put_user(ptr_to_compat(old_ka.sa.sa_handler), 

			       &oact->sa_handler);

		ret |= copy_to_user(&oact->sa_mask, &mask, sizeof(mask));

		ret |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);

		ret |= put_user(old_ka.sa.sa_flags, &oact->sa_flags);

#ifdef __ARCH_HAS_SA_RESTORER

		ret |= put_user(ptr_to_compat(old_ka.sa.sa_restorer),

				&oact->sa_restorer);

net/socket.c

+25 −25
Original line number Diff line number Diff line
@@ -3072,12 +3072,12 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, 


	uifmap32 = &uifr32->ifr_ifru.ifru_map;

	err = copy_from_user(&ifr, uifr32, sizeof(ifr.ifr_name));

	err |= __get_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);

	err |= __get_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);

	err |= __get_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);

	err |= __get_user(ifr.ifr_map.irq, &uifmap32->irq);

	err |= __get_user(ifr.ifr_map.dma, &uifmap32->dma);

	err |= __get_user(ifr.ifr_map.port, &uifmap32->port);

	err |= get_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);

	err |= get_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);

	err |= get_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);

	err |= get_user(ifr.ifr_map.irq, &uifmap32->irq);

	err |= get_user(ifr.ifr_map.dma, &uifmap32->dma);

	err |= get_user(ifr.ifr_map.port, &uifmap32->port);

	if (err)

		return -EFAULT;
@@ -3088,12 +3088,12 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, 


	if (cmd == SIOCGIFMAP && !err) {

		err = copy_to_user(uifr32, &ifr, sizeof(ifr.ifr_name));

		err |= __put_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);

		err |= __put_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);

		err |= __put_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);

		err |= __put_user(ifr.ifr_map.irq, &uifmap32->irq);

		err |= __put_user(ifr.ifr_map.dma, &uifmap32->dma);

		err |= __put_user(ifr.ifr_map.port, &uifmap32->port);

		err |= put_user(ifr.ifr_map.mem_start, &uifmap32->mem_start);

		err |= put_user(ifr.ifr_map.mem_end, &uifmap32->mem_end);

		err |= put_user(ifr.ifr_map.base_addr, &uifmap32->base_addr);

		err |= put_user(ifr.ifr_map.irq, &uifmap32->irq);

		err |= put_user(ifr.ifr_map.dma, &uifmap32->dma);

		err |= put_user(ifr.ifr_map.port, &uifmap32->port);

		if (err)

			err = -EFAULT;

	}
@@ -3167,25 +3167,25 @@ static int routing_ioctl(struct net *net, struct socket *sock, 
		struct in6_rtmsg32 __user *ur6 = argp;

		ret = copy_from_user(&r6.rtmsg_dst, &(ur6->rtmsg_dst),

			3 * sizeof(struct in6_addr));

		ret |= __get_user(r6.rtmsg_type, &(ur6->rtmsg_type));

		ret |= __get_user(r6.rtmsg_dst_len, &(ur6->rtmsg_dst_len));

		ret |= __get_user(r6.rtmsg_src_len, &(ur6->rtmsg_src_len));

		ret |= __get_user(r6.rtmsg_metric, &(ur6->rtmsg_metric));

		ret |= __get_user(r6.rtmsg_info, &(ur6->rtmsg_info));

		ret |= __get_user(r6.rtmsg_flags, &(ur6->rtmsg_flags));

		ret |= __get_user(r6.rtmsg_ifindex, &(ur6->rtmsg_ifindex));

		ret |= get_user(r6.rtmsg_type, &(ur6->rtmsg_type));

		ret |= get_user(r6.rtmsg_dst_len, &(ur6->rtmsg_dst_len));

		ret |= get_user(r6.rtmsg_src_len, &(ur6->rtmsg_src_len));

		ret |= get_user(r6.rtmsg_metric, &(ur6->rtmsg_metric));

		ret |= get_user(r6.rtmsg_info, &(ur6->rtmsg_info));

		ret |= get_user(r6.rtmsg_flags, &(ur6->rtmsg_flags));

		ret |= get_user(r6.rtmsg_ifindex, &(ur6->rtmsg_ifindex));



		r = (void *) &r6;

	} else { /* ipv4 */

		struct rtentry32 __user *ur4 = argp;

		ret = copy_from_user(&r4.rt_dst, &(ur4->rt_dst),

					3 * sizeof(struct sockaddr));

		ret |= __get_user(r4.rt_flags, &(ur4->rt_flags));

		ret |= __get_user(r4.rt_metric, &(ur4->rt_metric));

		ret |= __get_user(r4.rt_mtu, &(ur4->rt_mtu));

		ret |= __get_user(r4.rt_window, &(ur4->rt_window));

		ret |= __get_user(r4.rt_irtt, &(ur4->rt_irtt));

		ret |= __get_user(rtdev, &(ur4->rt_dev));

		ret |= get_user(r4.rt_flags, &(ur4->rt_flags));

		ret |= get_user(r4.rt_metric, &(ur4->rt_metric));

		ret |= get_user(r4.rt_mtu, &(ur4->rt_mtu));

		ret |= get_user(r4.rt_window, &(ur4->rt_window));

		ret |= get_user(r4.rt_irtt, &(ur4->rt_irtt));

		ret |= get_user(rtdev, &(ur4->rt_dev));

		if (rtdev) {

			ret |= copy_from_user(devname, compat_ptr(rtdev), 15);

			r4.rt_dev = (char __user __force *)devname;

CRA Git | Maintained and supported by SUSTech CRA and CCSE