[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 10 Jun 2019 11:20:43 -0700
From: Kees Cook <keescook@...omium.org>
To: "Khajapasha, Mohammed" <mohammed.khajapasha@...el.com>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Regarding add detection for double-reads
On Mon, Jun 10, 2019 at 05:19:17PM +0000, Khajapasha, Mohammed wrote:
> As discussed over IRC, could you please provide some point on "add detection for double-reads".
Hi!
This was about following up on building a good Coccinelle script that
would warn about cases where the kernel reads from userspace twice at
the same location which may result in bugs like reading the size of a
structure at the start of a structure, allocating a size, then filling
the structure with a second read (at which point the size may have
changed). For example:
struct example {
unsigned int bytes;
unsigned int flags;
u8 data[];
}
int do_user_interface(struct example __user *user_instance)
{
struct example *instance;
unsigned int size;
copy_from_user(&size, user_instance, sizeof(size));
instance = kmalloc(size, GFP_KERNEL);
if (!instance)
return -EINVAL;
copy_from_user(instance, user_instance, size);
perform_actions(instance);
}
The "bytes" field of the instance passed to perform_actions() may not
contain the right value, leading to possible heap overflows when
accessing instance->data[]...
What's needed after the second copy_from_user() is:
if (instance.bytes != size) {
kfree(instance);
return -EINVAL;
}
But _finding_ the cases is what I'd like to nail down and get into the
kernel scripts. The thread that needs following up is here:
https://lore.kernel.org/lkml/20160426222442.GA8104@www.outflux.net
--
Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
