From: Randy Dunlap <rdunlap@infradead.org>
To: Jann Horn <jannh@google.com>,
stefanr@s5r6.in-berlin.de, linux1394-devel@lists.sourceforge.net
Cc: kernel list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] firewire: nosy: don't read packets bigger than requested
Date: Mon, 3 Sep 2018 08:58:44 -0700 [thread overview]
Message-ID: <cbf4c05d-94f2-6ef0-0c90-1f5823329bbb@infradead.org> (raw)
In-Reply-To: <CAG48ez1etiHmD-e9szTEApia9YhUFomCcZM3Yp9wj9xrDWKmzg@mail.gmail.com>
On 09/03/2018 08:55 AM, Jann Horn wrote:
> On Fri, Jul 6, 2018 at 5:16 PM Jann Horn <jannh@google.com> wrote:
>> In general, accessing userspace memory beyond the length of the supplied
>> buffer in VFS read/write handlers can lead to both kernel memory corruption
>> (via kernel_read()/kernel_write(), which can e.g. be triggered via
>> sys_splice()) and privilege escalation inside userspace.
>>
>> Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
>> Signed-off-by: Jann Horn <jannh@google.com>
>> ---
>> No CC stable because this device shouldn't be available to unprivileged
>> code by default and should be pretty rare.
>>
>> drivers/firewire/nosy.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
>> index a128dd1126ae..732075fc312e 100644
>> --- a/drivers/firewire/nosy.c
>> +++ b/drivers/firewire/nosy.c
>> @@ -161,11 +161,12 @@ packet_buffer_get(struct client *client, char __user *data, size_t user_length)
>> if (atomic_read(&buffer->size) == 0)
>> return -ENODEV;
>>
>> - /* FIXME: Check length <= user_length. */
>> -
>> end = buffer->data + buffer->capacity;
>> length = buffer->head->length;
>>
>> + if (length > user_length)
>> + return -EINVAL;
>> +
>> if (&buffer->head->data[length] < end) {
>> if (copy_to_user(data, buffer->head->data, length))
>> return -EFAULT;
>
> Ping. I sent this about two months ago, I haven't received a reply,
> and from what I can tell, it hasn't landed in any tree so far...
>
:(
I have that same problem with some Firewire documentation patches.
I plan to ask someone else to merge my patches.
--
~Randy
next prev parent reply other threads:[~2018-09-03 15:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 15:16 [PATCH] firewire: nosy: don't read packets bigger than requested Jann Horn
2018-09-03 15:55 ` Jann Horn
2018-09-03 15:58 ` Randy Dunlap [this message]
2018-09-18 14:02 ` Stefan Richter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cbf4c05d-94f2-6ef0-0c90-1f5823329bbb@infradead.org \
--to=rdunlap@infradead.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=stefanr@s5r6.in-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.