linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jia-Ju Bai <baijiaju1990@gmail.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: mchehab@kernel.org, kstewart@linuxfoundation.org,
	tomasbortoli@gmail.com, sean@mess.org, allison@lohutok.net,
	tglx@linutronix.de, linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: usb: ttusb-dec: avoid buffer overflow in ttusb_dec_handle_irq() when DMA failures/attacks occur
Date: Thu, 7 May 2020 17:59:58 +0800	[thread overview]
Message-ID: <e7233d0f-d21f-5b4c-cc77-e71eff1e8a47@gmail.com> (raw)
In-Reply-To: <20200507075237.GA1024567@kroah.com>



On 2020/5/7 15:52, Greg KH wrote:
> On Thu, May 07, 2020 at 01:15:22PM +0800, Jia-Ju Bai wrote:
>> At present, I only detect the cases that a DMA value *directly* taints array
>> index, loop condition and important kernel-interface calls (such as
>> request_irq()).
>> In this one driver, I only find two problems that mentioned in this patch.
>> With the kernel configuration "allyesconfig" in my x86_64 machine, I find
>> nearly 200 such problems (intra-procedurally and inter-procedurally) in all
>> the compiled device drivers.
>>
>> I also find that several drivers check the data from DMA memory, but some of
>> these checks can be bypassed.
>> Here is an example in drivers/scsi/esas2r/esas2r_vda.c:
>>
>> The function esas2r_read_vda() uses a DMA value "vi":
>>    struct atto_ioctl_vda *vi =
>>              (struct atto_ioctl_vda *)a->vda_buffer;
>>
>> Then esas2r_read_vda() calls esas2r_process_vda_ioctl() with vi:
>>    esas2r_process_vda_ioctl(a, vi, rq, &sgc);
>>
>> In esas2r_process_vda_ioctl(), the DMA value "vi->function" is
>> used at many places, such as:
>>    if (vi->function >= vercnt)
>>    ...
>>    if (vi->version > esas2r_vdaioctl_versions[vi->function])
>>    ...
>>
>> However, when DMA failures or attacks occur, the value of vi->function can
>> be changed at any time. In this case, vi->function can be first smaller than
>> vercnt, and then it can be larger than vercnt when it is used as the array
>> index of esas2r_vdaioctl_versions, causing a buffer-overflow vulnerability.
>>
>> I also submitted this patch, but no one has replied yet:
>> https://lore.kernel.org/lkml/20200504172412.25985-1-baijiaju1990@gmail.com/
> It's only been a few days, give them time.
>
> But, as with this patch, you might want to change your approach.  Having
> the changelog say "this is a security problem!" really isn't that "real"
> as the threat model is very obscure at this point in time.
>
> Just say something like I referenced here, "read the value from memory
> and test it and use that value instead of constantly reading from memory
> each time in case it changes" is nicer and more realistic.  It's a
> poential optimization as well, if the complier didn't already do it for
> us automatically (which you really should look into...)

Okay, I used objdump to generate the assembly code of ttusb_dec.o 
(ttusb_dec.c is compiled with -O2).
I found the following possible operations for "buffer[4] - 1" in the 
assembly code:
    ......
    movsbl   0x4(%rbp), %r15d
    lea          -0x1(%r15), %r13d
    cmp        $0x19, %r13d
    .....
    movsbl   0x4(%rbp), %r13d
    sub         $0x1, %r13d
    .....
    movsbl   0x4(%rbp), %ebp
    sub         $0x1, %ebp
    .....

Thus, I guess that the compiler does not optimize these three accesses 
to "buffer[4] - 1".
As you suggested, I will change my log and send a new patch, thanks :)


>
> If you make up a large series of these, I'd be glad to take them through
> one of my trees to try to fix them all up at once, that's usually a
> simpler way to do cross-tree changes like this.
>

Okay, I will organize my found issues, and send them to you.
Thanks :)


Best wishes,
Jia-Ju Bai

  reply	other threads:[~2020-05-07 10:00 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-05 14:21 [PATCH] media: usb: ttusb-dec: avoid buffer overflow in ttusb_dec_handle_irq() when DMA failures/attacks occur Jia-Ju Bai
2020-05-05 18:10 ` Greg KH
2020-05-06 10:13   ` Jia-Ju Bai
2020-05-06 11:07     ` Greg KH
2020-05-06 15:30       ` Jia-Ju Bai
2020-05-06 15:52         ` Greg KH
2020-05-06 16:48           ` Jia-Ju Bai
2020-05-06 17:43             ` Greg KH
2020-05-07  5:15               ` Jia-Ju Bai
2020-05-07  7:52                 ` Greg KH
2020-05-07  9:59                   ` Jia-Ju Bai [this message]
2020-05-07  8:43 ` Sean Young
2020-05-07 10:11   ` Jia-Ju Bai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e7233d0f-d21f-5b4c-cc77-e71eff1e8a47@gmail.com \
    --to=baijiaju1990@gmail.com \
    --cc=allison@lohutok.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=kstewart@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=sean@mess.org \
    --cc=tglx@linutronix.de \
    --cc=tomasbortoli@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).