From: Bryan Fulton <bryan@coverity.com>
To: linux-kernel@vger.kernel.org
Subject: [Coverity] Untrusted user data in kernel
Date: Thu, 16 Dec 2004 17:33:32 -0800 [thread overview]
Message-ID: <1103247211.3071.74.camel@localhost.localdomain> (raw)
Hi, recently we ran a security checker over linux and discovered some
flaws in the Linux 2.6.9 kernel. I've inserted into this post a few
examples of what we found. These functions copy in user data
(copy_from_user) and use it as an array index, loop bound or memory
function argument without proper bounds checking.
This posting just involves bugs in /fs, /net and /drivers/net. There
will be more postings for similar flaws in the drivers, as well as
network exploitable bugs and bugs in system calls.
Some can be viewed as minor as they might involve directly passing an
unsigned tainted scalar to kmalloc. I was under the impression that
kmalloc has an implicit bounds check as it returns null if attempting to
allocate >64kb (or at least it used to). Can someone confirm/disconfirm
that?
Suggestions for other security properties to check are welcome. We
appreciate your feedback as a method to improve and expand our
security checkers.
Thanks,
.:Bryan Fulton and Ted Unangst of Coverity, Inc.
Quick location summary:
/fs/coda/pioctl.c::coda_pioctl
/fs/xfs/linux-2.6/xfs_ioctl.c::xfs_attrmulti_by_handle
/net/ipv6/netfilter/ip6_tables.c::do_replace
/net/bridge/br_ioctl.c::old_deviceless
/net/rose/rose_route.c::rose_rt_ioctl
/drivers/net/wan/sdla.c::sdla_xfer
/////////////////////////////////////////////////////
// 1: /fs/coda/pioctl.c::coda_pioctl //
/////////////////////////////////////////////////////
- tainted scalars (signed shorts) data->vi.in_size and data->vi.out_size
are used to copy memory from and to user space
- neither are properly upper/lower bounds checked (in_size only
upper-bound checked, out_size only lower-bound checked)
Call to function "copy_from_user" TAINTS argument "data"
61 if (copy_from_user(&data, (void __user *)user_data, sizeof(data)))
{
62 return -EINVAL;
63 }
64
...
TAINTED variable "(data).vi" was passed to a tainted sink.
90 error = venus_pioctl(inode->i_sb, &(cnp->c_fid), cmd, &data);
91
92 path_release(&nd);
93 return error;
94 }
95
96
inside linux-2.6.9/fs/coda/upcall.c::venus_pioctl
Checked upper bounds of signed scalar "((data)->vi).in_size"
by "((data)->vi).in_size > 8192"
553 if (data->vi.in_size > VC_MAXDATASIZE) {
554 error = -EINVAL;
555 goto exit;
556 }
557
...
Assigned TAINTED variable "((data)->vi).in_size" to variable
"((inp)->coda_ioctl).len"
568 inp->coda_ioctl.len = data->vi.in_size;
...
TAINTED variable "((data)->vi).in_size" passed to tainted data sink
"copy_from_user"
572 if ( copy_from_user((char*)inp + (long)inp->coda_ioctl.data,
573 data->vi.in, data->vi.in_size) ) {
574 error = -EINVAL;
575 goto exit;
576 }
...
Checked lower bounds of signed scalar "((data)->vi).out_size" by
"((outp)->coda_ioctl).len >
((data)->vi).out_size"
588 if (outp->coda_ioctl.len > data->vi.out_size) {
589 error = -EINVAL;
590 } else {
TAINTED variable "((data)->vi).out_size" passed to tainted data sink
"copy_to_user"
591 if (copy_to_user(data->vi.out,
592 (char *)outp +
(long)outp->coda_ioctl.data,
593 data->vi.out_size)) {
594 error = -EFAULT;
595 goto exit;
596 }
////////////////////////////////////////////////////////////////////
// 2: /fs/xfs/linux-2.6/xfs_ioctl.c::xfs_attrmulti_by_handle //
////////////////////////////////////////////////////////////////////
- tainted unsigned scalar am_hreq.opcount multiplied and passed to
kmalloc (512) and copy_from_user (518), and used as a loop bounds (524)
- this is fairly minor as there is a capable() call before the
copy_from_user in xfs_vget_fsop_handlereq
Call to function "xfs_vget_fsop_handlereq" TAINTS argument "am_hreq"
504 error = xfs_vget_fsop_handlereq(mp, parinode, CAP_SYS_ADMIN, arg,
505
sizeof(xfs_fsop_attrmulti_handlereq_t),
506 (xfs_fsop_handlereq_t *)&am_hreq,
507 &vp, &inode);
508 if (error)
509 return -error;
510
Assign TAINTED variable "((am_hreq).opcount * 24)" to variable "size"
511 size = am_hreq.opcount * sizeof(attr_multiop_t);
TAINTED variable "size" was passed to a tainted sink.
512 ops = (xfs_attr_multiop_t *)kmalloc(size, GFP_KERNEL);
...
TAINTED variable "size" was passed to a tainted sink.
518 if (copy_from_user(ops, am_hreq.ops, size)) {
519 kfree(ops);
520 VN_RELE(vp);
521 return -XFS_ERROR(EFAULT);
522 }
523
TAINTED variable "(am_hreq).opcount" used as a loop boundary
524 for (i = 0; i < am_hreq.opcount; i++) {
////////////////////////////////////////////////////////
// 3: /net/ipv6/netfilter/ip6_tables.c::do_replace //
////////////////////////////////////////////////////////
- tainted unsigned scalar tmp.num_counters multiplied and passed to
vmalloc (1161) and memset (1166) which could overflow or be too large
Call to function "copy_from_user" TAINTS argument "tmp"
1143 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1144 return -EFAULT;
...
TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.
1161 counters = vmalloc(tmp.num_counters * sizeof(struct
ip6t_counters));
1162 if (!counters) {
1163 ret = -ENOMEM;
1164 goto free_newinfo;
1165 }
TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.
1166 memset(counters, 0, tmp.num_counters * sizeof(struct
ip6t_counters));
//////////////////////////////////////////////////
// 4: /net/bridge/br_ioctl.c::old_deviceless //
//////////////////////////////////////////////////
- tainted unsigned scalar args[2] multiplied and passed to kmalloc (327)
and memset (331) which could overflow
- same scalar then used as a boundary to array index to the alloc'd
memory (inside get_bridge_ifindices)
Call to function "copy_from_user" TAINTS argument "args"
315 if (copy_from_user(args, uarg, sizeof(args)))
316 return -EFAULT;
317
317
318 switch (args[0]) {
319
...
TAINTED variable "(args[2] * 4)" was passed to a tainted sink.
327 indices = kmalloc(args[2]*sizeof(int),
GFP_KERNEL);
...
TAINTED variable "(args[2] * 4)" was passed to a tainted sink.
331 memset(indices, 0, args[2]*sizeof(int));
332 args[2] = get_bridge_ifindices(indices,
args[2]);
333
inside /net/bridge/br_ioctl.c::get_bridge_ifindices
24 static int get_bridge_ifindices(int *indices, int num)
25 {
26 struct net_device *dev;
27 int i = 0;
28
29 for (dev = dev_base; dev && i < num; dev = dev->next) {
30 if (dev->priv_flags & IFF_EBRIDGE)
31 indices[i++] = dev->ifindex;
32 }
33
34 return i;
35 }
//////////////////////////////////////////////////
// 5: /net/rose/rose_route.c::rose_rt_ioctl //
//////////////////////////////////////////////////
- tainted scalar (unsigned char) rose_route->ndigis used as a loop
boundary (122) for indexing into rose_neigh->digipeat->calls[] of
8 structs
Call to function "copy_from_user" TAINTS argument "rose_route"
720 if (copy_from_user(&rose_route, arg,
sizeof(struct
rose_route_struct)))
721 return -EFAULT;
...mem.len
TAINTED variable "(rose_route).ndigis" was passed to a tainted sink.
[model]
731 err = rose_add_node(&rose_route, dev);
inside /net/rose/rose_route.c::rose_add_node
112 if (rose_route->ndigis != 0) {
...
Tainted variable "(rose_route)->ndigis" used as a loop boundary
122 for (i = 0; i < rose_route->ndigis; i++)
{
123 rose_neigh->digipeat->calls[i] =
124 rose_route->digipeaters[i];
125 rose_neigh->digipeat->repeated[i] = 0;
126 }
//////////////////////////////////////////////
// 6: /drivers/net/wan/sdla.c::sdla_xfer //
//////////////////////////////////////////////
- tainted signed scalar mem.len passed to kmalloc and memset (1206 and
1211, or 1220 and 1223). Possibly minor because of kmalloc's
implicit size check
Call to function "copy_from_user" TAINTS argument "mem"
1201 if(copy_from_user(&mem, info, sizeof(mem)))
...
TAINTED variable "(mem).len" was passed to a tainted sink.
1206 temp = kmalloc(mem.len, GFP_KERNEL);
...
TAINTED variable "(mem).len" was passed to a tainted sink.
1209 memset(temp, 0, mem.len);
1210 sdla_read(dev, mem.addr, temp, mem.len);
TAINTED variable "(mem).len" was passed to a tainted sink.
1211 if(copy_to_user(mem.data, temp, mem.len))
...
TAINTED variable "(mem).len" was passed to a tainted sink.
1220 temp = kmalloc(mem.len, GFP_KERNEL);
1221 if (!temp)
1222 return(-ENOMEM);
TAINTED variable "(mem).len" was passed to a tainted sink.
1223 if(copy_from_user(temp, mem.data, mem.len))
1224 {
--
Bryan J Fulton
Coverity, Inc.
Email: bryan@coverity.com
next reply other threads:[~2004-12-17 1:33 UTC|newest]
Thread overview: 238+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-17 1:33 Bryan Fulton [this message]
2004-12-17 5:15 ` [Coverity] Untrusted user data in kernel James Morris
2004-12-17 5:25 ` Patrick McHardy
2004-12-17 6:45 ` James Morris
2004-12-17 13:18 ` Tomas Carnecky
2004-12-17 19:16 ` David S. Miller
2004-12-17 19:34 ` Tomas Carnecky
2004-12-17 19:30 ` David S. Miller
2004-12-17 15:47 ` Bill Davidsen
2004-12-17 16:11 ` linux-os
2004-12-17 16:31 ` Oliver Neukum
2004-12-17 18:37 ` Bill Davidsen
2004-12-17 19:18 ` Tomas Carnecky
2004-12-17 19:30 ` Oliver Neukum
2004-12-17 19:39 ` Tomas Carnecky
2004-12-18 1:42 ` Horst von Brand
2004-12-17 15:10 ` Pavel Machek
2004-12-17 15:38 ` James Morris
2005-01-05 12:04 ` Marcelo Tosatti
2005-01-05 15:09 ` Jan Harkes
2005-01-05 23:17 ` Nathan Scott
[not found] ` <20050105161653.GF13455@fi.muni.cz>
[not found] ` <20050105140549.GA14622@logos.cnet>
2005-01-06 9:18 ` Jan Kasprzak
2005-01-06 14:48 ` Paulo Marques
2005-01-06 16:29 ` Alan Cox
2005-01-07 21:49 ` [PATCH 2.4.29-pre3-bk4] fs/coda " Jan Harkes
2005-01-07 21:54 ` [PATCH 2.6.10-mm2] " Jan Harkes
-- strict thread matches above, loose matches on Subject: below --
2004-12-02 0:04 What if? Imanpreet Singh Arora
2004-12-02 4:40 ` Theodore Ts'o
2004-12-02 6:39 ` Norbert van Nobelen
2004-12-02 8:24 ` James Bruce
2004-12-02 20:25 ` Theodore Ts'o
2004-12-03 2:23 ` David Schwartz
2004-12-02 8:33 ` J.A. Magallon
2004-12-02 10:46 ` Bernd Petrovitsch
2004-12-02 10:56 ` Pawel Sikora
2004-12-13 15:23 ` H. Peter Anvin
2004-12-13 21:08 ` J.A. Magallon
2004-12-16 0:57 ` Alan Cox
2004-12-16 2:44 ` H. Peter Anvin
2004-12-16 13:23 ` Alan Cox
2004-12-16 15:23 ` Geert Uytterhoeven
2004-12-16 20:37 ` H. Peter Anvin
2004-12-16 20:52 ` Jan Engelhardt
2004-12-16 20:56 ` H. Peter Anvin
2004-12-16 21:08 ` Jan Engelhardt
2004-12-02 10:25 ` Jan Engelhardt
2004-12-05 0:23 ` Horst von Brand
2004-12-05 6:21 ` Kyle Moffett
2004-12-05 22:43 ` Horst von Brand
2004-12-06 17:27 ` linux-os
2004-12-06 18:52 ` Horst von Brand
2004-12-02 10:53 ` Bernd Petrovitsch
2004-12-11 8:52 ` Gábor Lénárt
2004-11-04 16:01 Linux-2.6.9 won't allow a write to a NTFS file-system linux-os
2004-11-04 16:48 ` Giuseppe Bilotta
2004-11-04 17:09 ` linux-os
2004-11-04 17:40 ` Giuseppe Bilotta
2004-11-04 17:46 ` Mathieu Segaud
2004-11-04 22:17 ` Anton Altaparmakov
2004-11-04 22:18 ` Anton Altaparmakov
2004-11-04 22:38 ` linux-os
2004-11-05 14:43 ` Rahul Karnik
2004-11-05 1:46 ` Horst von Brand
2004-11-05 12:41 ` linux-os
2004-10-18 22:45 Linux v2.6.9 Linus Torvalds
2004-10-18 23:27 ` Thomas Zehetbauer
2004-10-19 2:54 ` Eric W. Biederman
2004-10-19 16:55 ` Jesper Juhl
2004-10-19 14:36 ` Linux v2.6.9... (compile stats) John Cherry
2004-10-19 16:18 ` Matthew Dharm
2004-10-19 16:49 ` viro
2004-10-19 21:37 ` John Cherry
2004-10-20 22:11 ` John Cherry
2004-10-20 22:41 ` viro
2004-10-21 0:12 ` Linus Torvalds
2004-10-21 0:29 ` Jeff Garzik
2004-10-21 0:44 ` viro
2004-10-21 1:55 ` viro
2004-10-21 1:59 ` Jeff Garzik
2004-10-21 2:24 ` viro
2004-10-21 2:37 ` Jeff Garzik
2004-10-21 4:35 ` viro
2004-10-21 8:57 ` Jeff Garzik
2004-10-20 22:50 ` Dave Jones
2004-10-19 17:38 ` Linux v2.6.9 and GPL Buyout Jeff V. Merkey
2004-10-19 19:13 ` Russell King
2004-10-19 19:04 ` Jeff V. Merkey
2004-10-19 19:24 ` Kurt Wall
2004-10-19 19:12 ` Jeff V. Merkey
2004-10-19 20:01 ` Richard B. Johnson
2004-10-19 20:39 ` Matt Mackall
2004-10-20 0:06 ` Richard B. Johnson
2004-10-20 5:21 ` Matt Mackall
2004-10-19 19:28 ` Andre Hedrick
2004-10-19 19:10 ` Jeff V. Merkey
2004-10-19 19:30 ` Rik van Riel
2004-10-19 19:05 ` Jeff V. Merkey
2004-10-19 20:14 ` Diego Calleja
2004-10-19 19:41 ` Jeff V. Merkey
2004-10-20 8:27 ` Bernd Petrovitsch
2004-10-20 8:45 ` Jens Axboe
2004-10-19 19:47 ` Jeff V. Merkey
2004-10-19 20:05 ` Richard B. Johnson
2004-10-19 19:38 ` Jeff V. Merkey
2004-10-19 20:30 ` Thomas Gleixner
2004-10-19 20:15 ` Jeff V. Merkey
2004-10-22 23:22 ` Tonnerre
2004-10-19 19:45 ` Ross Biro
2004-10-19 19:36 ` Jeff V. Merkey
2004-10-19 19:54 ` David Johnson
2004-10-19 19:55 ` viro
2004-10-19 19:25 ` Jeff V. Merkey
2004-10-19 20:38 ` Dax Kelson
2004-10-19 20:09 ` Jeff V. Merkey
2004-10-19 22:16 ` Jim Nelson
2004-10-19 22:57 ` Bernd Petrovitsch
2004-10-19 22:27 ` Scott Robert Ladd
2004-10-20 19:41 ` Bill Davidsen
2004-10-20 1:15 ` Horst von Brand
2004-10-20 1:16 ` Bastiaan Spandaw
2004-10-20 19:35 ` Bill Davidsen
2004-10-20 3:45 ` Ryan Anderson
2004-10-20 4:18 ` Lee Revell
2004-10-20 4:41 ` Lee Revell
2004-10-20 11:49 ` Richard B. Johnson
2004-10-29 12:12 ` Semaphore assembly-code bug linux-os
2004-10-29 14:46 ` Linus Torvalds
2004-10-29 15:11 ` Andi Kleen
2004-10-29 18:18 ` Linus Torvalds
2004-10-29 18:35 ` Richard Henderson
2004-10-29 16:06 ` Andreas Steinmetz
2004-10-29 17:08 ` linux-os
2004-10-29 18:06 ` Linus Torvalds
2004-10-29 18:39 ` linux-os
2004-10-29 19:12 ` Linus Torvalds
2004-11-01 1:31 ` linux-os
2004-11-01 5:49 ` Linus Torvalds
2004-11-01 20:23 ` dean gaudet
2004-11-01 20:52 ` linux-os
2004-11-01 21:23 ` dean gaudet
2004-11-01 22:22 ` linux-os
2004-11-01 21:40 ` Linus Torvalds
2004-11-01 21:46 ` Linus Torvalds
2004-11-02 15:02 ` linux-os
2004-11-02 16:02 ` Linus Torvalds
2004-11-02 16:06 ` Linus Torvalds
2004-11-02 16:51 ` linux-os
2004-11-01 22:16 ` linux-os
2004-11-01 22:26 ` Linus Torvalds
2004-11-01 23:14 ` linux-os
2004-11-01 23:42 ` Linus Torvalds
2004-11-03 1:52 ` Horst von Brand
2004-11-03 21:24 ` Bill Davidsen
2004-11-02 6:37 ` Chris Friesen
2004-10-29 18:58 ` Andreas Steinmetz
2004-10-29 19:15 ` Linus Torvalds
2004-10-29 19:40 ` Andreas Steinmetz
2004-10-29 19:56 ` Linus Torvalds
2004-10-29 22:07 ` Jeff Garzik
2004-10-29 23:50 ` dean gaudet
2004-10-30 0:15 ` Linus Torvalds
2004-10-29 23:37 ` dean gaudet
2004-10-29 17:22 ` linux-os
2004-10-29 17:55 ` Richard Henderson
2004-10-29 18:17 ` linux-os
2004-10-29 18:42 ` Linus Torvalds
2004-10-29 18:54 ` Linus Torvalds
2004-10-30 3:35 ` Jeff Garzik
2004-10-29 19:20 ` Linus Torvalds
2004-10-29 19:26 ` Linus Torvalds
2004-10-29 21:03 ` Linus Torvalds
2004-10-29 17:57 ` Richard Henderson
2004-10-29 18:37 ` Gabriel Paubert
2004-10-20 5:58 ` Linux v2.6.9 and GPL Buyout John Alvord
2004-10-20 14:42 ` Martin Waitz
2004-10-21 23:59 ` Kelledin
2004-10-22 8:46 ` Bernd Petrovitsch
2004-10-22 9:07 ` David Weinehall
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-22 17:52 ` Al Viro
2004-10-22 17:22 ` Jeff V. Merkey
2004-10-22 19:37 ` Jeff V. Merkey
2004-10-22 20:46 ` Grahame White
2004-10-22 20:58 ` Buddy Lucas
2004-10-22 21:00 ` Richard B. Johnson
2004-10-22 21:03 ` Thomas Gleixner
2004-10-23 12:33 ` Bernd Petrovitsch
2004-10-24 14:15 ` Kai Henningsen
2004-10-27 1:45 ` Horst von Brand
2004-10-24 11:00 ` Matthias Andree
2004-10-24 14:13 ` Kai Henningsen
2004-10-25 18:44 ` Bill Davidsen
2004-10-20 19:46 ` Bill Davidsen
2004-10-19 21:02 ` Pekka Pietikainen
2004-10-19 20:27 ` Jeff V. Merkey
2004-10-22 6:54 ` Erik Andersen
2004-10-22 16:12 ` Jeff V. Merkey
2004-10-19 21:17 ` Paul Fulghum
2004-10-20 20:41 ` Geert Uytterhoeven
2004-10-23 13:43 ` James Bruce
2004-10-19 21:26 ` Ramón Rey Vicente
2004-10-19 22:52 ` Buddy Lucas
2004-10-20 23:43 ` Eric Bambach
2004-10-20 23:48 ` Eric Bambach
2004-10-20 23:59 ` Hua Zhong
2004-10-21 0:13 ` Russell Miller
2004-10-21 0:18 ` Adam Heath
2004-10-21 10:16 ` Horst von Brand
2004-10-22 8:48 ` Ingo Molnar
2004-10-22 16:15 ` Jeff V. Merkey
2004-10-23 0:14 ` Jon Masters
2004-10-22 23:46 ` Jeff V. Merkey
2004-10-23 0:57 ` Jon Masters
2004-10-23 4:42 ` Jeff V. Merkey
2004-10-23 6:32 ` Nick Piggin
[not found] ` <20041023064538.GA7866@galt.devicelogics.com>
2004-10-23 7:20 ` Jeff V. Merkey
2004-10-23 10:11 ` Gene Heskett
2004-10-23 16:28 ` Linus Torvalds
2004-10-24 2:48 ` Jesper Juhl
2004-10-24 5:11 ` Jeff V. Merkey
2004-10-24 11:14 ` Jon Masters
2004-10-24 11:50 ` Jim Nelson
2004-10-24 15:35 ` Ingo Molnar
2004-10-24 15:53 ` Bernd Petrovitsch
2004-10-31 23:14 ` Jan 'JaSan' Sarenik
2004-10-24 2:11 ` Buddy Lucas
2004-10-23 0:38 ` Lee Revell
2004-10-23 0:07 ` Jeff V. Merkey
2004-10-23 1:06 ` Lee Revell
2004-10-21 2:41 ` Linux v2.6.9 (Strange tty problem?) Paul
2004-10-21 9:07 ` Alan Cox
2004-10-21 12:39 ` Russell King
2004-10-21 13:20 ` Paul Fulghum
2004-10-21 15:37 ` Alan Cox
2004-10-21 17:00 ` Paul Fulghum
2004-10-21 15:47 ` Paul Fulghum
2004-10-21 18:12 ` Paul Fulghum
2004-10-31 21:11 ` Linux v2.6.9 dies when starting X on radeon 9200 SE PCI Helge Hafting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1103247211.3071.74.camel@localhost.localdomain \
--to=bryan@coverity.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).