• Wenwen Wang's avatar
    dm ioctl: harden copy_params()'s copy_from_user() from malicious users · 800a7340
    Wenwen Wang authored
    In copy_params(), the struct 'dm_ioctl' is first copied from the user
    space buffer 'user' to 'param_kernel' and the field 'data_size' is
    checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload
    up to its 'data' member).  If the check fails, an error code EINVAL will be
    returned.  Otherwise, param_kernel->data_size is used to do a second copy,
    which copies from the same user-space buffer to 'dmi'.  After the second
    copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'.
    Given that the buffer 'user' resides in the user space, a malicious
    user-space process can race to change the content in the buffer between
    the two copies.  This way, the attacker can inject inconsistent data
    into 'dmi' (versus previously validated 'param_kernel').
    
    Fix redundant copying of 'minimum_data_size' from user-space buffer by
    using the first copy stored in 'param_kernel'.  Also remove the
    'data_size' check after the second copy because it is now unnecessary.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    800a7340
dm-ioctl.c 44.4 KB