• Mathieu Desnoyers's avatar
    kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() · 3ddc5b46
    Mathieu Desnoyers authored
    I found the following pattern that leads in to interesting findings:
      grep -r "ret.*|=.*__put_user" *
      grep -r "ret.*|=.*__get_user" *
      grep -r "ret.*|=.*__copy" *
    The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat,
    since those appear in compat code, we could probably expect the kernel
    addresses not to be reachable in the lower 32-bit range, so I think they
    might not be exploitable.
    For the "__get_user" cases, I don't think those are exploitable: the worse
    that can happen is that the kernel will copy kernel memory into in-kernel
    buffers, and will fail immediately afterward.
    The alpha csum_partial_copy_from_user() seems to be missing the
    access_ok() check entirely.  The fix is inspired from x86.  This could
    lead to information leak on alpha.  I also noticed that many architectures
    map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I
    wonder if the latter is performing the access checks on every
    Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Cc: Richard Henderson <rth@twiddle.net>
    Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Cc: Matt Turner <mattst88@gmail.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
compat_ioctl.c 20.8 KB