Re: [RFC] coccicheck: add a test for repeat memory fetches

From: Kees Cook
Date: Tue Jan 10 2017 - 15:05:01 EST


On Tue, Jan 10, 2017 at 11:30 AM, Julia Lawall <julia.lawall@xxxxxxx> wrote:
>
>
> On Tue, 10 Jan 2017, Kees Cook wrote:
>
>> On Tue, Jan 10, 2017 at 10:28 AM, Julia Lawall <julia.lawall@xxxxxxx> wrote:
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2159
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2257
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2302
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2342
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2365
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2406
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2439
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2491
>> >
>> > Do you want the above results? They have the form:
>> >
>> > if (copy_from_user(&t, useraddr, sizeof(t)))
>> >
>> > My reasoning was that there could be no problem here, because the size is
>> > the size of the destination structure. It doesn't depend on user level data.
>>
>> They're likely false positives, but it does follow the pattern of
>> reading the same userspace location twice:
>>
>> if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
>> return -EFAULT;
>>
>> switch (cmd) {
>> case CHELSIO_SET_QSET_PARAMS:{
>> int i;
>> struct qset_params *q;
>> struct ch_qset_params t;
>> int q1 = pi->first_qset;
>> int nqsets = pi->nqsets;
>>
>> if (!capable(CAP_NET_ADMIN))
>> return -EPERM;
>> if (copy_from_user(&t, useraddr, sizeof(t)))
>> return -EFAULT;
>>
>> If there is any logic that examines cmd (u32) and operates on t
>> (struct ch_qset_params), there could be a flaw. It doesn't look like
>> it here, but a "correct" version of this would be:
>>
>> if (copy_from_user(&t, useraddr, sizeof(t)))
>> return -EFAULT;
>> t.cmd = cmd;
>
> OK, I'm fine with putting them all back.
>
> For another issue, what about code like the following:
>
> if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
> return -EFAULT;
>
> if ((u_cmd.outsize > EC_MAX_MSG_BYTES) ||
> (u_cmd.insize > EC_MAX_MSG_BYTES))
> return -EINVAL;
>
> s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
> GFP_KERNEL);
> if (!s_cmd)
> return -ENOMEM;
>
> if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + u_cmd.outsize)) {
> ret = -EFAULT;
> goto exit;
> }
>
> It doesn't actually test sizeof(*s_cmd) + u_cmd.outsize, but it does test
> u_cmd.outsize > EC_MAX_MSG_BYTES, and presumably that test accounts for
> the extra sizeof(*s_cmd) value.

This is also bad since s_cmd now contains possibly new values for
outsize and insize, even though the old outsize was allocated. e.g.
past-end-of-buffer reads could happen for:

arg->outsize = 4
copy_from_user(&u_cmd, arg, ...)
s_cmd = kmalloc(... + 4)
arg->outsize = 1024
copy_from_user(s_cmd, arg, ...)

now s_cmd has only the 4 bytes allocated but anything operating on the
new outsize will expect 1024. This code needs the same sanity check:

if (s_cmd->outsize != u_cmd.outsize || s_cmd->insize != u_cmd.insize) {
ret = -EINVAL;
goto exit;
}

-Kees

--
Kees Cook
Nexus Security