[PATCH] comedi: integer overflow in do_insnlist_ioctl()

[PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns.  The call to kmalloc() would allocate a small buffer, which would result in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
---
 drivers/staging/comedi/comedi_fops.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..66bb49d 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -650,6 +650,7 @@ static int parse_insn(struct comedi_device *dev, struct comedi_insn *insn,
  *		data (for reads)
  */
 /* arbitrary limits */
+#define MAX_INSNS   256
 #define MAX_SAMPLES 256
 static int do_insnlist_ioctl(struct comedi_device *dev,
 			     struct comedi_insnlist __user *arg, void *file)
@@ -663,6 +664,12 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
 	if (copy_from_user(&insnlist, arg, sizeof(struct comedi_insnlist)))
 		return -EFAULT;
 
+	if (insnlist.n_insns > MAX_INSNS) {
+		DPRINTK("invalid number of instructions\n");
+		ret = -EINVAL;
+		goto error;
+	}
+
 	data = kmalloc(sizeof(unsigned int) * MAX_SAMPLES, GFP_KERNEL);
 	if (!data) {
 		DPRINTK("kmalloc failed\n");
-- 
1.7.5.4

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 142 bytes --]

I sent a patch for this already.

http://driverdev.linuxdriverproject.org/pipermail/devel/2011-November/022469.html

regards,
dan carpenter



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

Thanks for the pointer.  However you cannot do the overflow check using

  if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)

Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
insnlist.n_insns = 0x7fffffff.

Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.

- xi

On Wed, Nov 23, 2011 at 1:13 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> I sent a patch for this already.
>
> http://driverdev.linuxdriverproject.org/pipermail/devel/2011-November/022469.html
>
> regards,
> dan carpenter
>
>
>

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 613 bytes --]

On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
> Thanks for the pointer.  However you cannot do the overflow check using
> 
>   if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)
> 
> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
> insnlist.n_insns = 0x7fffffff.
> 
> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
> 

Argh...  You're right, my check is wrong.  What I like about my patch
though is that it doesn't introduce an arbitrary limit.  Could you
redo your check without the MAX_INSNS?

regards,
dan carpenter


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Ian Abbott]

On 2011-11-23 14:50, Dan Carpenter wrote:
> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
>> Thanks for the pointer.  However you cannot do the overflow check using
>>
>>    if (sizeof(struct comedi_insn) * insnlist.n_insns <  insnlist.n_insns)
>>
>> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
>> insnlist.n_insns = 0x7fffffff.
>>
>> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
>>
>
> Argh...  You're right, my check is wrong.  What I like about my patch
> though is that it doesn't introduce an arbitrary limit.  Could you
> redo your check without the MAX_INSNS?

Could use something like:

	if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
		insns =
			kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
				GFP_KERNEL);
	if (!insns)
		...

(note that insns is initialized to NULL).

-- 
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti@mev.co.uk>        )=-
-=( Tel: +44 (0)161 477 1898   FAX: +44 (0)161 718 3587         )=-

[PATCH v2] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
---
 drivers/staging/comedi/comedi_fops.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..df86a9e 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,8 +670,9 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
 		goto error;
 	}
 
-	insns =
-	    kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+	if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
+		insns = kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
+				GFP_KERNEL);
 	if (!insns) {
 		DPRINTK("kmalloc failed\n");
 		ret = -ENOMEM;
-- 
1.7.5.4

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Lars-Peter Clausen]

On 11/23/2011 05:06 PM, Ian Abbott wrote:
> On 2011-11-23 14:50, Dan Carpenter wrote:
>> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
>>> Thanks for the pointer.  However you cannot do the overflow check using
>>>
>>>    if (sizeof(struct comedi_insn) * insnlist.n_insns < 
>>> insnlist.n_insns)
>>>
>>> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
>>> insnlist.n_insns = 0x7fffffff.
>>>
>>> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your
>>> check.
>>>
>>
>> Argh...  You're right, my check is wrong.  What I like about my patch
>> though is that it doesn't introduce an arbitrary limit.  Could you
>> redo your check without the MAX_INSNS?
> 
> Could use something like:
> 
>     if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
>         insns =
>             kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
>                 GFP_KERNEL);
>     if (!insns)
>         ...
> 
> (note that insns is initialized to NULL).
> 

Just use kcalloc, it will do the right thing for you.

- Lars

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 657 bytes --]

On Wed, Nov 23, 2011 at 10:41:07PM +0100, Lars-Peter Clausen wrote:
> >     if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
> >         insns =
> >             kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
> >                 GFP_KERNEL);
> >     if (!insns)
> >         ...
> > 
> > (note that insns is initialized to NULL).
> > 
> 
> Just use kcalloc, it will do the right thing for you.
> 

I think the reason why I didn't do that in my original patch is that
kcalloc() has a memset(..., 0, ...) in it so it's a slow down.  But
this isn't performance critical code so that would work.

regards,
dan carpenter

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

Using kcalloc looks good to me.  Do you want to redo the patch in that way?

- xi

On Nov 23, 2011, at 4:51 PM, Dan Carpenter wrote:
> 
> I think the reason why I didn't do that in my original patch is that
> kcalloc() has a memset(..., 0, ...) in it so it's a slow down.  But
> this isn't performance critical code so that would work.
> 
> regards,
> dan carpenter

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 234 bytes --]

On Thu, Nov 24, 2011 at 02:07:49PM -0500, Xi Wang wrote:
> Using kcalloc looks good to me.  Do you want to redo the patch in that way?
> 

It's your choice.  The other fix you wrote is valid as well.

regards,
dan carpenter


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[PATCH v3] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
---
  drivers/staging/comedi/comedi_fops.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c 
b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..7f7d79e 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
  	}

  	insns =
-	    kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+	    kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL);
  	if (!insns) {
  		DPRINTK("kmalloc failed\n");
  		ret = -ENOMEM;
-- 
1.7.5.4

Re: [PATCH v3] comedi: integer overflow in do_insnlist_ioctl()

[Greg KH]

On Fri, Nov 25, 2011 at 04:46:51PM -0500, Xi Wang wrote:
> There is a potential integer overflow in do_insnlist_ioctl() if
> userspace passes in a large insnlist.n_insns.  The call to kmalloc()
> would allocate a small buffer, leading to a memory corruption.
> 
> The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
> and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
> Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>

Hm, I already applied Dan's previous patch, what should I do with this
one now?  Revert Dan's and apply this one, or apply both of them, or
something else?

confused,

greg k-h

Re: [PATCH v3] comedi: integer overflow in do_insnlist_ioctl()

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 946 bytes --]

On Sat, Nov 26, 2011 at 06:52:52PM -0800, Greg KH wrote:
> On Fri, Nov 25, 2011 at 04:46:51PM -0500, Xi Wang wrote:
> > There is a potential integer overflow in do_insnlist_ioctl() if
> > userspace passes in a large insnlist.n_insns.  The call to kmalloc()
> > would allocate a small buffer, leading to a memory corruption.
> > 
> > The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
> > and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
> > Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.
> > 
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> 
> Hm, I already applied Dan's previous patch, what should I do with this
> one now?  Revert Dan's and apply this one, or apply both of them, or
> something else?

Sorry for that, I should have replied to my patch when I learned that
it had a problem.

Please, revert mine and apply Xi Wang's.

regards,
dan carpenter


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH v3] comedi: integer overflow in do_insnlist_ioctl()

[Greg KH]

On Sun, Nov 27, 2011 at 02:25:39PM +0300, Dan Carpenter wrote:
> On Sat, Nov 26, 2011 at 06:52:52PM -0800, Greg KH wrote:
> > On Fri, Nov 25, 2011 at 04:46:51PM -0500, Xi Wang wrote:
> > > There is a potential integer overflow in do_insnlist_ioctl() if
> > > userspace passes in a large insnlist.n_insns.  The call to kmalloc()
> > > would allocate a small buffer, leading to a memory corruption.
> > > 
> > > The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
> > > and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
> > > Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.
> > > 
> > > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > 
> > Hm, I already applied Dan's previous patch, what should I do with this
> > one now?  Revert Dan's and apply this one, or apply both of them, or
> > something else?
> 
> Sorry for that, I should have replied to my patch when I learned that
> it had a problem.
> 
> Please, revert mine and apply Xi Wang's.

Ok, now done.

greg k-h