Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Aug 2019 16:36:52 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>
Cc: Jiri Kosina <jikos@...nel.org>, linux-block@...r.kernel.org,
 linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
 Mukesh Ojha <mojha@...eaurora.org>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 Denis Efremov <efremov@...ux.com>, Julia Lawall <Julia.Lawall@...6.fr>,
 Gilles Muller <Gilles.Muller@...6.fr>, Nicolas Palix
 <nicolas.palix@...g.fr>, Michal Marek <michal.lkml@...kovi.net>,
 cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction

Hello everyone!

On 27.03.2019 1:03, Jann Horn wrote:
> As sparse points out, these two copy_from_user() should actually be
> copy_to_user().

I've spent some time on these bugs, but it turned out that they are already public.

I think Jann's patch is lost, it is not applied to the mainline.
So I add a new floppy maintainer Denis Efremov to CC.

These bugs on x86_64 cause memset for the userspace memory from the kernelspace.
That is funny:
 - access_ok for the copy_from_user source (2nd argument) returns zero;
 - copy_from_user tries to erase the destination (1st argument);
 - but the destination is in the userspace instead of kernelspace.

So we have:
[   40.937098] BUG: unable to handle page fault for address: 0000000041414242
[   40.938714] #PF: supervisor write access in kernel mode
[   40.939951] #PF: error_code(0x0002) - not-present page
[   40.941121] PGD 7963f067 P4D 7963f067 PUD 0
[   40.942107] Oops: 0002 [#1] SMP NOPTI
[   40.942968] CPU: 0 PID: 292 Comm: d Not tainted 5.3.0-rc3+ #7
[   40.944288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   40.946478] RIP: 0010:__memset+0x24/0x30
[   40.947394] Code: 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83 e2 07
48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89
d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
[   40.951721] RSP: 0018:ffffc900003dbd58 EFLAGS: 00010206
[   40.952941] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000006
[   40.954592] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000041414242
[   40.956169] RBP: 0000000041414242 R08: ffffffff8200bd80 R09: 0000000041414242
[   40.957753] R10: 0000000000121806 R11: ffff88807da28ab0 R12: ffffc900003dbd7c
[   40.959407] R13: 0000000000000001 R14: 0000000041414242 R15: 0000000041414242
[   40.961062] FS:  00007f91115c4440(0000) GS:ffff88807da00000(0000)
knlGS:0000000000000000
[   40.962603] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   40.963695] CR2: 0000000041414242 CR3: 000000007c584000 CR4: 00000000000006f0
[   40.965004] Call Trace:
[   40.965459]  _copy_from_user+0x51/0x60
[   40.966141]  compat_getdrvstat+0x124/0x170
[   40.966781]  fd_compat_ioctl+0x69c/0x6d0
[   40.967423]  ? selinux_file_ioctl+0x16f/0x210
[   40.968117]  compat_blkdev_ioctl+0x21d/0x8f0
[   40.968864]  __x32_compat_sys_ioctl+0x99/0x250
[   40.969659]  do_syscall_64+0x4a/0x110
[   40.970337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9


I haven't found a way to exploit it.

> Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jann Horn <jannh@...gle.com>
> Reviewed-by: Mukesh Ojha <mojha@...eaurora.org>
> ---
> compile-tested only

Acked-by: Alexander Popov <alex.popov@...ux.com>

>  drivers/block/floppy.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 95f608d1a098..8c641245ff12 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3749,7 +3749,7 @@ static int compat_getdrvprm(int drive,
>  	v.native_format = UDP->native_format;
>  	mutex_unlock(&floppy_mutex);
>  
> -	if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
> +	if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
>  		return -EFAULT;
>  	return 0;
>  }
> @@ -3785,7 +3785,7 @@ static int compat_getdrvstat(int drive, bool poll,
>  	v.bufblocks = UDRS->bufblocks;
>  	mutex_unlock(&floppy_mutex);
>  
> -	if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
> +	if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
>  		return -EFAULT;
>  	return 0;
>  Eintr:
> 

I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
experts to CC).


virtual report

@cfu@
identifier f;
type t;
identifier v;
position decl_p;
position copy_p;
@@

f(..., t v@...l_p, ...)
{
<+...
copy_from_user@...y_p(v, ...)
...+>
}

@script:python@
f << cfu.f;
t << cfu.t;
v << cfu.v;
decl_p << cfu.decl_p;
copy_p << cfu.copy_p;
@@

if '__user' in t:
  msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
  coccilib.report.print_report(decl_p[0], msg0)
  msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
  coccilib.report.print_report(copy_p[0], msg1)


The rule output:

./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
of type "struct compat_floppy_drive_params __user *"
./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
destination. What a shame!

./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
of type "struct compat_floppy_drive_struct __user *"
./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
destination. What a shame!


Best regards,
Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.