All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] wmi: avoid a double-fetch issue in wmi_ioctl
@ 2018-12-25 19:36 Kangjie Lu
  2019-02-05 17:33 ` Andy Shevchenko
  0 siblings, 1 reply; 2+ messages in thread
From: Kangjie Lu @ 2018-12-25 19:36 UTC (permalink / raw)
  To: kjlu
  Cc: pakki001, Darren Hart, Andy Shevchenko, platform-driver-x86,
	linux-kernel

buf->length is first copied in from user space and security-checked. The
second copy issued by copy_from_user copies it again. The data in user
space may have been modified by malicious users. filter_callback()
further uses the potentially modified data. The fix avoids the
double-fetch that overwrites buf->length.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
---
 drivers/platform/x86/wmi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
index bea35be68706..93cab9a70ad7 100644
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -850,7 +850,8 @@ static long wmi_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 			buf->length, wblock->req_buf_size);
 
 	/* copy the structure from userspace */
-	if (copy_from_user(buf, input, wblock->req_buf_size)) {
+	if (copy_from_user(buf->data, input->data,
+				wblock->req_buf_size - sizeof(buf->length))) {
 		dev_dbg(&wblock->dev.dev, "Copy %llu from user failed\n",
 			wblock->req_buf_size);
 		ret = -EFAULT;
-- 
2.17.2 (Apple Git-113)


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] wmi: avoid a double-fetch issue in wmi_ioctl
  2018-12-25 19:36 [PATCH] wmi: avoid a double-fetch issue in wmi_ioctl Kangjie Lu
@ 2019-02-05 17:33 ` Andy Shevchenko
  0 siblings, 0 replies; 2+ messages in thread
From: Andy Shevchenko @ 2019-02-05 17:33 UTC (permalink / raw)
  To: Kangjie Lu
  Cc: Aditya Pakki, Darren Hart, Andy Shevchenko, Platform Driver,
	Linux Kernel Mailing List

On Tue, Dec 25, 2018 at 9:37 PM Kangjie Lu <kjlu@umn.edu> wrote:
>
> buf->length is first copied in from user space and security-checked. The
> second copy issued by copy_from_user copies it again. The data in user
> space may have been modified by malicious users.

So, we already did a check and copied not more than we would expect.

> filter_callback()
> further uses the potentially modified data.

How?

> The fix avoids the
> double-fetch that overwrites buf->length.

NAK.

> Signed-off-by: Kangjie Lu <kjlu@umn.edu>
> ---
>  drivers/platform/x86/wmi.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
> index bea35be68706..93cab9a70ad7 100644
> --- a/drivers/platform/x86/wmi.c
> +++ b/drivers/platform/x86/wmi.c
> @@ -850,7 +850,8 @@ static long wmi_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
>                         buf->length, wblock->req_buf_size);
>
>         /* copy the structure from userspace */
> -       if (copy_from_user(buf, input, wblock->req_buf_size)) {
> +       if (copy_from_user(buf->data, input->data,
> +                               wblock->req_buf_size - sizeof(buf->length))) {
>                 dev_dbg(&wblock->dev.dev, "Copy %llu from user failed\n",
>                         wblock->req_buf_size);
>                 ret = -EFAULT;
> --
> 2.17.2 (Apple Git-113)
>


-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-05 17:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-25 19:36 [PATCH] wmi: avoid a double-fetch issue in wmi_ioctl Kangjie Lu
2019-02-05 17:33 ` Andy Shevchenko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.