aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/md/dm-ioctl.c
diff options
context:
space:
mode:
authorAlasdair G Kergon <agk@redhat.com>2012-12-21 15:23:30 -0500
committerAlasdair G Kergon <agk@redhat.com>2012-12-21 15:23:30 -0500
commite910d7ebecd1aac43125944a8641b6cb1a0dfabe (patch)
tree25d1565c4aec693a4a20d714d128637eb94f2cb9 /drivers/md/dm-ioctl.c
parent550929faf89e2e2cdb3e9945ea87d383989274cf (diff)
dm ioctl: prevent unsafe change to dm_ioctl data_size
Abort dm ioctl processing if userspace changes the data_size parameter after we validated it but before we finished copying the data buffer from userspace. The dm ioctl parameters are processed in the following sequence: 1. ctl_ioctl() calls copy_params(); 2. copy_params() makes a first copy of the fixed-sized portion of the userspace parameters into the local variable "tmp"; 3. copy_params() then validates tmp.data_size and allocates a new structure big enough to hold the complete data and copies the whole userspace buffer there; 4. ctl_ioctl() reads userspace data the second time and copies the whole buffer into the pointer "param"; 5. ctl_ioctl() reads param->data_size without any validation and stores it in the variable "input_param_size"; 6. "input_param_size" is further used as the authoritative size of the kernel buffer. The problem is that userspace code could change the contents of user memory between steps 2 and 4. In particular, the data_size parameter can be changed to an invalid value after the kernel has validated it. This lets userspace force the kernel to access invalid kernel memory. The fix is to ensure that the size has not changed at step 4. This patch shouldn't have a security impact because CAP_SYS_ADMIN is required to run this code, but it should be fixed anyway. Reported-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Cc: stable@kernel.org
Diffstat (limited to 'drivers/md/dm-ioctl.c')
-rw-r--r--drivers/md/dm-ioctl.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index afd95986d099..a651d528f80d 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1566,6 +1566,14 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl **param)
1566 if (copy_from_user(dmi, user, tmp.data_size)) 1566 if (copy_from_user(dmi, user, tmp.data_size))
1567 goto bad; 1567 goto bad;
1568 1568
1569 /*
1570 * Abort if something changed the ioctl data while it was being copied.
1571 */
1572 if (dmi->data_size != tmp.data_size) {
1573 DMERR("rejecting ioctl: data size modified while processing parameters");
1574 goto bad;
1575 }
1576
1569 /* Wipe the user buffer so we do not return it to userspace */ 1577 /* Wipe the user buffer so we do not return it to userspace */
1570 if (secure_data && clear_user(user, tmp.data_size)) 1578 if (secure_data && clear_user(user, tmp.data_size))
1571 goto bad; 1579 goto bad;