[CHECKER] security rules?

[CHECKER] security rules?

[Dawson Engler]

We're looking at making a set of security checkers.  Does anyone have
suggestions for good things to go after in addition to the usual
copy_*_user and buffer overrun bugs?  For example, are there any
documents that describe the rules for when/how 'capable' is supposed to
be used?

Thanks for any help,
Dawson

Re: [CHECKER] security rules?

[Chris Evans]

Hi Dawson,

Excellent project.

Can I suggest that you check for signedness issues? A typical signature of
a signedness problem is:

int i = get_from_userspace_somehow();
/* Sanity check i */
if (i > MAX_LEN_FOR_I)
  goto bad_bad_out;
/* Bug here!! i can be negative! */


I suspect you find a lot of these sort of errors. I've already nailed a
few.

Cheers
Chris

On Fri, 13 Apr 2001, Dawson Engler wrote:

>
> We're looking at making a set of security checkers.  Does anyone have
> suggestions for good things to go after in addition to the usual
> copy_*_user and buffer overrun bugs?  For example, are there any
> documents that describe the rules for when/how 'capable' is supposed to
> be used?
>
> Thanks for any help,
> Dawson
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

[CHECKER] security rules?

[William Ie]

Hi, my name is William Ie and I am currently working with the mc group. We
are currently looking into how capability checks are used in the 2.4.3
kernel. Along the way, we found a few potential bugs that we are not too
sure about. Please bear in mind our checker right now is still very very
crude. 
1.
linux/2.4.3/drivers/block/cciss.c:381:cciss_ioctl:
		put_user(hba[ctlr]->hd[MINOR(inode->i_rdev)].start_sect,
&geo->start);
		return 0;
	case BLKGETSIZE:
		if (!arg) return -EINVAL;
		put_user(hba[ctlr]->hd[MINOR(inode->i_rdev)].nr_sects,
(long*)arg);
		return 0;
	case BLKRRPART:
		return revalidate_logvol(inode->i_rdev, 1);
Error --->
	case BLKFLSBUF:
our analysis indicates that servicing of the BLKRRPART requires the
CAP_SYS_ADMIN capability check, which is not being done here. Is this a
bug?
2.
linux/2.4.3/drivers/block/cpqarray.c:1182:ida_ioctl:

	case IDAGETDRVINFO:
		return
copy_to_user(&io->c.drv,&hba[ctlr]->drv[dsk],sizeof(drv_info_t));
	case BLKGETSIZE:
		if (!arg) return -EINVAL;

put_user(ida[(ctlr<<CTLR_SHIFT)+MINOR(inode->i_rdev)].nr_sects,
(long*)arg);
		return 0;
	case BLKRRPART:
		return revalidate_logvol(inode->i_rdev, 1);
Error --->
	case IDAPASSTHRU:
		if (!suser()) return -EPERM;
		error = copy_from_user(&my_io, io, sizeof(my_io));
		if (error) return error;
		error = ida_ctlr_ioctl(ctlr, dsk, &my_io);

Same as above.
3.
linux/2.4.3/net/rose/af_rose.c:1290:rose_ioctl:
case SIOCRSSCAUSE: {
			struct rose_cause_struct rose_cause;
			if (copy_from_user(&rose_cause, (void *)arg,
sizeof(struct rose_cause_struct)))
				return -EFAULT;
			sk->protinfo.rose->cause      = rose_cause.cause;
			sk->protinfo.rose->diagnostic =
rose_cause.diagnostic;
			return 0;
		}
The code appears to us to be configuring the device without CAP_NET_ADMIN
capability although we are not too sure that this is actually ok.
4.linux/2.4.3/drivers/net/ppp_async.c:345:ppp_async_ioctl
case PPPIOCGFLAGS:
		val = ap->flags | ap->rbits;
		if (put_user(val, (int *) arg))
			break;
		err = 0;
		break;
case PPPIOCSFLAGS:
		if (get_user(val, (int *) arg))
			break;
		ap->flags = val & ~SC_RCV_BITS;
		spin_lock_bh(&ap->recv_lock);
		ap->rbits = val & SC_RCV_BITS;
		spin_unlock_bh(&ap->recv_lock);
		err = 0;
		break;
seems to be getting and setting some flags without CAP_NET_ADMIN like in
ppp_synctty.c
5.
linux/2.4.3/drivers/isdn/isdn_ppp.c:478:isdn_ppp_ioctl
		case PPPIOCGFLAGS:	/* get configuration flags */
			if ((r = set_arg((void *) arg,
&is->pppcfg,sizeof(is->pppcfg) )))
				return r;
			break;
Error --->
		case PPPIOCSFLAGS:	/* set configuration flags */
			if ((r = get_arg((void *) arg, &val,
sizeof(val) ))) {
				return r;
			}
			if (val & SC_ENABLE_IP && !(is->pppcfg &
SC_ENABLE_IP) && (is->state & IPPP_CONNECT)) {
Same as above.
6.linux/2.4.3/drivers/net/ppp_generic.c:550:ppp_ioctl


	case PPPIOCGFLAGS:
		val = ppp->flags | ppp->xstate | ppp->rstate;
		if (put_user(val, (int *) arg))
			break;
		err = 0;
		break;

Error --->
Same as above.

Re: [CHECKER] security rules?

[Paul Mackerras]

William Ie writes:

> 4.linux/2.4.3/drivers/net/ppp_async.c:345:ppp_async_ioctl
> case PPPIOCGFLAGS:
> 		val = ap->flags | ap->rbits;
> 		if (put_user(val, (int *) arg))
> 			break;
> 		err = 0;
> 		break;
> case PPPIOCSFLAGS:
> 		if (get_user(val, (int *) arg))
> 			break;
> 		ap->flags = val & ~SC_RCV_BITS;
> 		spin_lock_bh(&ap->recv_lock);
> 		ap->rbits = val & SC_RCV_BITS;
> 		spin_unlock_bh(&ap->recv_lock);
> 		err = 0;
> 		break;
> seems to be getting and setting some flags without CAP_NET_ADMIN like in
> ppp_synctty.c

It is OK because this is a channel ioctl routine called from
ppp_generic.c as a result of an ioctl call on /dev/ppp, and it is not
possible to open /dev/ppp unless you have CAP_NET_ADMIN.

Paul.