Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
From: Paul Kot pawlkt@gmail.com
Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
Signed-off-by: Paul Kot pawlkt@gmail.com [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 5bc8649..a53502a 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, + socket_packet->icmp_len);
packet_len = socket_packet->icmp_len; kfree(socket_packet);
The access_ok read check can be directly done in copy_from_user since a failure of access_ok is handled the same way as an error in __copy_from_user.
Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index a53502a..4dc55e8 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -187,12 +187,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff, skb_reserve(skb, sizeof(struct ethhdr)); icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len);
- if (!access_ok(VERIFY_READ, buff, packet_len)) { - len = -EFAULT; - goto free_skb; - } - - if (__copy_from_user(icmp_packet, buff, packet_len)) { + if (copy_from_user(icmp_packet, buff, packet_len)) { len = -EFAULT; goto free_skb; }
On Saturday, December 10, 2011 22:28:35 Sven Eckelmann wrote:
The access_ok read check can be directly done in copy_from_user since a failure of access_ok is handled the same way as an error in __copy_from_user.
Applied in revision abe653f.
Thanks, Marek
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overridden by the kernel.
Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 4dc55e8..5d69e10 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + packet_len = min(count, socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
- packet_len = socket_packet->icmp_len; kfree(socket_packet);
if (error)
On Saturday, December 10, 2011 22:28:36 Sven Eckelmann wrote:
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overridden by the kernel.
Applied in revision d22e13c.
Thanks, Marek
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overwritten by the kernel.
Reported-by: Paul Kot pawlkt@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- Marek pointed out that it is better to merge patch 1 and 2. I think it doesn't make sense to leave Paul Kot as author because it doesn't look like his patch at all.
And thanks to Andrew for s/overridden/overwritten/
icmp_socket.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 5bc8649..66923d2 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + packet_len = min(count, socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
- packet_len = socket_packet->icmp_len; kfree(socket_packet);
if (error)
On Saturday, December 10, 2011 22:28:34 Sven Eckelmann wrote:
From: Paul Kot pawlkt@gmail.com
Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
Signed-off-by: Paul Kot pawlkt@gmail.com [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann sven@narfation.org
Applied in revision 2013715.
Thanks, Marek
b.a.t.m.a.n@lists.open-mesh.org
-
Marek Lindner -
Paul -
Sven Eckelmann