Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
From: Paul Kot pawlkt@gmail.com
Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
Signed-off-by: Paul Kot pawlkt@gmail.com [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 5bc8649..a53502a 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, + socket_packet->icmp_len);
packet_len = socket_packet->icmp_len; kfree(socket_packet);
The access_ok read check can be directly done in copy_from_user since a failure of access_ok is handled the same way as an error in __copy_from_user.
Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index a53502a..4dc55e8 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -187,12 +187,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff, skb_reserve(skb, sizeof(struct ethhdr)); icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len);
- if (!access_ok(VERIFY_READ, buff, packet_len)) { - len = -EFAULT; - goto free_skb; - } - - if (__copy_from_user(icmp_packet, buff, packet_len)) { + if (copy_from_user(icmp_packet, buff, packet_len)) { len = -EFAULT; goto free_skb; }
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overridden by the kernel.
Signed-off-by: Sven Eckelmann sven@narfation.org --- icmp_socket.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 4dc55e8..5d69e10 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + packet_len = min(count, socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
- packet_len = socket_packet->icmp_len; kfree(socket_packet);
if (error)
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overwritten by the kernel.
Reported-by: Paul Kot pawlkt@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- Marek pointed out that it is better to merge patch 1 and 2. I think it doesn't make sense to leave Paul Kot as author because it doesn't look like his patch at all.
And thanks to Andrew for s/overridden/overwritten/
icmp_socket.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 5bc8649..66923d2 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + packet_len = min(count, socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
- packet_len = socket_packet->icmp_len; kfree(socket_packet);
if (error)
On Saturday, December 10, 2011 22:28:34 Sven Eckelmann wrote:
From: Paul Kot pawlkt@gmail.com
Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel memory corruption, if __user *buf is just below TASK_SIZE.
Signed-off-by: Paul Kot pawlkt@gmail.com [sven@narfation.org: made it checkpatch clean] Signed-off-by: Sven Eckelmann sven@narfation.org
Applied in revision 2013715.
Thanks, Marek
On Saturday, December 10, 2011 22:28:35 Sven Eckelmann wrote:
The access_ok read check can be directly done in copy_from_user since a failure of access_ok is handled the same way as an error in __copy_from_user.
Applied in revision abe653f.
Thanks, Marek
On Saturday, December 10, 2011 22:28:36 Sven Eckelmann wrote:
Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overridden by the kernel.
Applied in revision d22e13c.
Thanks, Marek
b.a.t.m.a.n@lists.open-mesh.org