[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Aug 2019 16:36:52 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>
Cc: Jiri Kosina <jikos@...nel.org>, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
Mukesh Ojha <mojha@...eaurora.org>,
"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
Denis Efremov <efremov@...ux.com>, Julia Lawall <Julia.Lawall@...6.fr>,
Gilles Muller <Gilles.Muller@...6.fr>, Nicolas Palix
<nicolas.palix@...g.fr>, Michal Marek <michal.lkml@...kovi.net>,
cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction
Hello everyone!
On 27.03.2019 1:03, Jann Horn wrote:
> As sparse points out, these two copy_from_user() should actually be
> copy_to_user().
I've spent some time on these bugs, but it turned out that they are already public.
I think Jann's patch is lost, it is not applied to the mainline.
So I add a new floppy maintainer Denis Efremov to CC.
These bugs on x86_64 cause memset for the userspace memory from the kernelspace.
That is funny:
- access_ok for the copy_from_user source (2nd argument) returns zero;
- copy_from_user tries to erase the destination (1st argument);
- but the destination is in the userspace instead of kernelspace.
So we have:
[ 40.937098] BUG: unable to handle page fault for address: 0000000041414242
[ 40.938714] #PF: supervisor write access in kernel mode
[ 40.939951] #PF: error_code(0x0002) - not-present page
[ 40.941121] PGD 7963f067 P4D 7963f067 PUD 0
[ 40.942107] Oops: 0002 [#1] SMP NOPTI
[ 40.942968] CPU: 0 PID: 292 Comm: d Not tainted 5.3.0-rc3+ #7
[ 40.944288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 40.946478] RIP: 0010:__memset+0x24/0x30
[ 40.947394] Code: 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83 e2 07
48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89
d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
[ 40.951721] RSP: 0018:ffffc900003dbd58 EFLAGS: 00010206
[ 40.952941] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000006
[ 40.954592] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000041414242
[ 40.956169] RBP: 0000000041414242 R08: ffffffff8200bd80 R09: 0000000041414242
[ 40.957753] R10: 0000000000121806 R11: ffff88807da28ab0 R12: ffffc900003dbd7c
[ 40.959407] R13: 0000000000000001 R14: 0000000041414242 R15: 0000000041414242
[ 40.961062] FS: 00007f91115c4440(0000) GS:ffff88807da00000(0000)
knlGS:0000000000000000
[ 40.962603] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 40.963695] CR2: 0000000041414242 CR3: 000000007c584000 CR4: 00000000000006f0
[ 40.965004] Call Trace:
[ 40.965459] _copy_from_user+0x51/0x60
[ 40.966141] compat_getdrvstat+0x124/0x170
[ 40.966781] fd_compat_ioctl+0x69c/0x6d0
[ 40.967423] ? selinux_file_ioctl+0x16f/0x210
[ 40.968117] compat_blkdev_ioctl+0x21d/0x8f0
[ 40.968864] __x32_compat_sys_ioctl+0x99/0x250
[ 40.969659] do_syscall_64+0x4a/0x110
[ 40.970337] entry_SYSCALL_64_after_hwframe+0x44/0xa9
I haven't found a way to exploit it.
> Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jann Horn <jannh@...gle.com>
> Reviewed-by: Mukesh Ojha <mojha@...eaurora.org>
> ---
> compile-tested only
Acked-by: Alexander Popov <alex.popov@...ux.com>
> drivers/block/floppy.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 95f608d1a098..8c641245ff12 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3749,7 +3749,7 @@ static int compat_getdrvprm(int drive,
> v.native_format = UDP->native_format;
> mutex_unlock(&floppy_mutex);
>
> - if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
> + if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
> return -EFAULT;
> return 0;
> }
> @@ -3785,7 +3785,7 @@ static int compat_getdrvstat(int drive, bool poll,
> v.bufblocks = UDRS->bufblocks;
> mutex_unlock(&floppy_mutex);
>
> - if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
> + if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
> return -EFAULT;
> return 0;
> Eintr:
>
I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
experts to CC).
virtual report
@cfu@
identifier f;
type t;
identifier v;
position decl_p;
position copy_p;
@@
f(..., t v@...l_p, ...)
{
<+...
copy_from_user@...y_p(v, ...)
...+>
}
@script:python@
f << cfu.f;
t << cfu.t;
v << cfu.v;
decl_p << cfu.decl_p;
copy_p << cfu.copy_p;
@@
if '__user' in t:
msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
coccilib.report.print_report(decl_p[0], msg0)
msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
coccilib.report.print_report(copy_p[0], msg1)
The rule output:
./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
of type "struct compat_floppy_drive_params __user *"
./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
destination. What a shame!
./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
of type "struct compat_floppy_drive_struct __user *"
./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
destination. What a shame!
Best regards,
Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
