Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Aug 2019 15:56:18 +0200 (CEST)
From: Julia Lawall <julia.lawall@...6.fr>
To: Alexander Popov <alex.popov@...ux.com>
cc: Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>, 
    Jiri Kosina <jikos@...nel.org>, linux-block@...r.kernel.org, 
    linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>, 
    Mukesh Ojha <mojha@...eaurora.org>, 
    "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
    Denis Efremov <efremov@...ux.com>, Julia Lawall <Julia.Lawall@...6.fr>, 
    Gilles Muller <Gilles.Muller@...6.fr>, 
    Nicolas Palix <nicolas.palix@...g.fr>, 
    Michal Marek <michal.lkml@...kovi.net>, cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction



On Fri, 9 Aug 2019, Alexander Popov wrote:

> Hello everyone!
>
> On 27.03.2019 1:03, Jann Horn wrote:
> > As sparse points out, these two copy_from_user() should actually be
> > copy_to_user().
>
> I've spent some time on these bugs, but it turned out that they are already public.
>
> I think Jann's patch is lost, it is not applied to the mainline.
> So I add a new floppy maintainer Denis Efremov to CC.
>
> These bugs on x86_64 cause memset for the userspace memory from the kernelspace.
> That is funny:
>  - access_ok for the copy_from_user source (2nd argument) returns zero;
>  - copy_from_user tries to erase the destination (1st argument);
>  - but the destination is in the userspace instead of kernelspace.
>
> So we have:
> [   40.937098] BUG: unable to handle page fault for address: 0000000041414242
> [   40.938714] #PF: supervisor write access in kernel mode
> [   40.939951] #PF: error_code(0x0002) - not-present page
> [   40.941121] PGD 7963f067 P4D 7963f067 PUD 0
> [   40.942107] Oops: 0002 [#1] SMP NOPTI
> [   40.942968] CPU: 0 PID: 292 Comm: d Not tainted 5.3.0-rc3+ #7
> [   40.944288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [   40.946478] RIP: 0010:__memset+0x24/0x30
> [   40.947394] Code: 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83 e2 07
> 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89
> d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
> [   40.951721] RSP: 0018:ffffc900003dbd58 EFLAGS: 00010206
> [   40.952941] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000006
> [   40.954592] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000041414242
> [   40.956169] RBP: 0000000041414242 R08: ffffffff8200bd80 R09: 0000000041414242
> [   40.957753] R10: 0000000000121806 R11: ffff88807da28ab0 R12: ffffc900003dbd7c
> [   40.959407] R13: 0000000000000001 R14: 0000000041414242 R15: 0000000041414242
> [   40.961062] FS:  00007f91115c4440(0000) GS:ffff88807da00000(0000)
> knlGS:0000000000000000
> [   40.962603] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   40.963695] CR2: 0000000041414242 CR3: 000000007c584000 CR4: 00000000000006f0
> [   40.965004] Call Trace:
> [   40.965459]  _copy_from_user+0x51/0x60
> [   40.966141]  compat_getdrvstat+0x124/0x170
> [   40.966781]  fd_compat_ioctl+0x69c/0x6d0
> [   40.967423]  ? selinux_file_ioctl+0x16f/0x210
> [   40.968117]  compat_blkdev_ioctl+0x21d/0x8f0
> [   40.968864]  __x32_compat_sys_ioctl+0x99/0x250
> [   40.969659]  do_syscall_64+0x4a/0x110
> [   40.970337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
>
> I haven't found a way to exploit it.
>
> > Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Jann Horn <jannh@...gle.com>
> > Reviewed-by: Mukesh Ojha <mojha@...eaurora.org>
> > ---
> > compile-tested only
>
> Acked-by: Alexander Popov <alex.popov@...ux.com>
>
> >  drivers/block/floppy.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> > index 95f608d1a098..8c641245ff12 100644
> > --- a/drivers/block/floppy.c
> > +++ b/drivers/block/floppy.c
> > @@ -3749,7 +3749,7 @@ static int compat_getdrvprm(int drive,
> >  	v.native_format = UDP->native_format;
> >  	mutex_unlock(&floppy_mutex);
> >
> > -	if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
> > +	if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_params)))
> >  		return -EFAULT;
> >  	return 0;
> >  }
> > @@ -3785,7 +3785,7 @@ static int compat_getdrvstat(int drive, bool poll,
> >  	v.bufblocks = UDRS->bufblocks;
> >  	mutex_unlock(&floppy_mutex);
> >
> > -	if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
> > +	if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_struct)))
> >  		return -EFAULT;
> >  	return 0;
> >  Eintr:
> >
>
> I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
> experts to CC).
>
>
> virtual report
>
> @cfu@

You can replace the above line with @cfu exists@.  You want to find the
existence of such a call, not ensure that the call occurs on every
control-flow path, which is the default.

Do you want this rule to go into the kernel?

julia

> identifier f;
> type t;
> identifier v;
> position decl_p;
> position copy_p;
> @@
>
> f(..., t v@...l_p, ...)
> {
> <+...
> copy_from_user@...y_p(v, ...)
> ...+>
> }
>
> @script:python@
> f << cfu.f;
> t << cfu.t;
> v << cfu.v;
> decl_p << cfu.decl_p;
> copy_p << cfu.copy_p;
> @@
>
> if '__user' in t:
>   msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
>   coccilib.report.print_report(decl_p[0], msg0)
>   msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
>   coccilib.report.print_report(copy_p[0], msg1)
>
>
> The rule output:
>
> ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
> of type "struct compat_floppy_drive_params __user *"
> ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
> destination. What a shame!
>
> ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
> of type "struct compat_floppy_drive_struct __user *"
> ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
> destination. What a shame!
>
>
> Best regards,
> Alexander
>

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.