All of lore.kernel.org
 help / color / mirror / Atom feed
* Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver
@ 2017-09-01  6:00 Dison River
  2017-09-01  6:44 ` Kees Cook
  2017-09-01  8:24 ` Dan Carpenter
  0 siblings, 2 replies; 3+ messages in thread
From: Dison River @ 2017-09-01  6:00 UTC (permalink / raw)
  To: sathya.prakash, chaitra.basappa, suganath-prabu.subramani,
	MPT-FusionLinux.pdl, linux-scsi, linux-kernel, security

Hi:
Buffer overflow in the mptctl_replace_fw() function in linux kernel
MPT ioctl driver.

In mptctl_replace_fw function, kernel didn't check the size of
"newFwSize" variable allows attackers to cause a denial of service via
unspecified vectors that trigger copy_from_user function calls with
improper length arguments.


static int
mptctl_replace_fw (unsigned long arg)
{
......
    if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
        printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
            "Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
                __FILE__, __LINE__, uarg);
        return -EFAULT;
    }

......

    mpt_free_fw_memory(ioc);

    /* Allocate memory for the new FW image
     */
    newFwSize = ALIGN(karg.newImageSize, 4);

    mpt_alloc_fw_memory(ioc, newFwSize);
......

    if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {
///------->newFwSize can control in userspace
        printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
                "Unable to read in mpt_ioctl_replace_fw image "
                "@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
        mpt_free_fw_memory(ioc);
        return -EFAULT;
    }

......

    return 0;
}

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver
  2017-09-01  6:00 Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver Dison River
@ 2017-09-01  6:44 ` Kees Cook
  2017-09-01  8:24 ` Dan Carpenter
  1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2017-09-01  6:44 UTC (permalink / raw)
  To: Dison River
  Cc: sathya.prakash, chaitra.basappa, suganath-prabu.subramani,
	MPT-FusionLinux.pdl, linux-scsi, LKML, security

On Thu, Aug 31, 2017 at 11:00 PM, Dison River <pwn2river@gmail.com> wrote:
> Hi:
> Buffer overflow in the mptctl_replace_fw() function in linux kernel
> MPT ioctl driver.
>
> In mptctl_replace_fw function, kernel didn't check the size of
> "newFwSize" variable allows attackers to cause a denial of service via
> unspecified vectors that trigger copy_from_user function calls with
> improper length arguments.

Is there a specific path you see to trigger this?

>
>
> static int
> mptctl_replace_fw (unsigned long arg)
> {
> ......
>     if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
>         printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
>             "Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
>                 __FILE__, __LINE__, uarg);
>         return -EFAULT;
>     }
>
> ......
>
>     mpt_free_fw_memory(ioc);

This frees ioc->cached_fw.

>
>     /* Allocate memory for the new FW image
>      */
>     newFwSize = ALIGN(karg.newImageSize, 4);
>
>     mpt_alloc_fw_memory(ioc, newFwSize);

This allocates ioc->cached_fw to newFwSize.

> ......
>
>     if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {

This copies newFwSize bytes into a buffer that is allocated to newFwSize bytes.

What am I missing? I see some games getting played in
mpt_alloc_fw_memory(), but they seem to be covered due to the earlier
call to mpt_free_fw_memory()...

-Kees

> ///------->newFwSize can control in userspace
>         printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
>                 "Unable to read in mpt_ioctl_replace_fw image "
>                 "@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
>         mpt_free_fw_memory(ioc);
>         return -EFAULT;
>     }
>
> ......
>
>     return 0;
> }

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver
  2017-09-01  6:00 Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver Dison River
  2017-09-01  6:44 ` Kees Cook
@ 2017-09-01  8:24 ` Dan Carpenter
  1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2017-09-01  8:24 UTC (permalink / raw)
  To: Dison River
  Cc: sathya.prakash, chaitra.basappa, suganath-prabu.subramani,
	MPT-FusionLinux.pdl, linux-scsi, linux-kernel, security

On Fri, Sep 01, 2017 at 02:00:48PM +0800, Dison River wrote:
>     newFwSize = ALIGN(karg.newImageSize, 4);

This is an integer overflow, but it's harmless...  As a static checker
developer this is where I would print a warning:
drivers/message/fusion/mptctl.c:1748 mptctl_replace_fw() warn: potential integer overflow from user '((karg.newImageSize)) + (((4)) - 1)'
I also caught the integer overflow from two days ago but there are too
many ones like this so I can't check them all.  In mpt_alloc_fw_memory()
there is another potential integer overflow when we do:

	ioc->alloc_total += size;

But ->alloc_total is not used anywhere.

I don't see a buffer overflow here.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-01  8:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-01  6:00 Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver Dison River
2017-09-01  6:44 ` Kees Cook
2017-09-01  8:24 ` Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.