Re: [PATCH v2] fix stack memory content leak via UNAME26

From: Andrew Morton
Date: Wed Oct 10 2012 - 18:46:29 EST

Next message: NeilBrown: "Re: [PATCH 03/16] f2fs: add superblock and major in-memorystructures"
Previous message: Mark Moseley: "Re: linux-audit: reconstruct path names from syscall events?"
In reply to: Kees Cook: "Re: [PATCH v2] fix stack memory content leak via UNAME26"
Next in thread: Kees Cook: "Re: [PATCH v2] fix stack memory content leak via UNAME26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 10 Oct 2012 15:31:07 -0700
Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> > This looks unecessarily complicated. Is there a reason to be copying
> > all 65 bytes out to userspace?
> >
> > If not, then couldn't we just do
> >
> > len = scnprintf(...);
> > ret = copy_to_user(..., len + 1);
> >
> > ?
>
> As it is, nothing calls override_release with crazy "len" values, but,
> to make the code less fragile, there should be checking for
> sizeof(buf) vs len. In the patch I sent, bounding the sprintf was
> sizeof(buf), and the copy_to_user was bounded by effectively
> min(sizeof(buf), len). If you wanted to use scnprintf, you'd have to
> reorganize the checks and explicitly handle len == 0:
>
> if (!len)
> return -EFAULT;
> if (sizeof(buf) < len)
> len = sizeof(buf)
> len = scnprintf(buf, len, "2.6.%u%s", v, rest);
> ret = copy_to_user(release, buf, len + 1);

It would be pretty absurd for someone to call override_release() with
len==0? All callers use sizeof() on some pretty well-defined array.

So I'd have thought that something like

--- a/kernel/sys.c~a
+++ a/kernel/sys.c
@@ -1265,7 +1265,7 @@ DECLARE_RWSEM(uts_sem);
* Work around broken programs that cannot handle "Linux 3.0".
* Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
*/
-static int override_release(char __user *release, int len)
+static int override_release(char __user *release, size_t len)
{
int ret = 0;
char buf[65];
@@ -1274,6 +1274,7 @@ static int override_release(char __user
char *rest = UTS_RELEASE;
int ndots = 0;
unsigned v;
+ size_t copy;

while (*rest) {
if (*rest == '.' && ++ndots >= 3)
@@ -1283,8 +1284,9 @@ static int override_release(char __user
rest++;
}
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
- snprintf(buf, len, "2.6.%u%s", v, rest);
- ret = copy_to_user(release, buf, len);
+ copy = scnprintf(buf, min(len, sizeof(buf)),
+ "2.6.%u%s", v, rest);
+ ret = copy_to_user(release, buf, copy + 1);
}
return ret;
}

would suffice?

Not a big deal I guess, but copying out stuff beyond the NUL is a bit odd.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: NeilBrown: "Re: [PATCH 03/16] f2fs: add superblock and major in-memorystructures"
Previous message: Mark Moseley: "Re: linux-audit: reconstruct path names from syscall events?"
In reply to: Kees Cook: "Re: [PATCH v2] fix stack memory content leak via UNAME26"
Next in thread: Kees Cook: "Re: [PATCH v2] fix stack memory content leak via UNAME26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]