Re: [PATCH] sys: don't hold uts_sem while accessing userspace memory

From: Ben Hutchings
Date: Tue Jun 26 2018 - 13:43:53 EST


On Mon, 2018-06-25 at 20:16 +0200, Jann Horn wrote:
> On Mon, Jun 25, 2018 at 6:41 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Mon, Jun 25, 2018 at 06:34:10PM +0200, Jann Horn wrote:
> >
> > > + char tmp[32];
> > >
> > > - if (namelen > 32)
> > > + if (namelen < 0 || namelen > 32)
> > > namelen = 32;
> > >
> > > down_read(&uts_sem);
> > > kname = utsname()->domainname;
> > > len = strnlen(kname, namelen);
> > > - if (copy_to_user(name, kname, min(len + 1, namelen)))
> > > - err = -EFAULT;
> > > + len = min(len + 1, namelen);
> > > + memcpy(tmp, kname, len);
> > > up_read(&uts_sem);
> > >
> > > - return err;
> > > + if (copy_to_user(name, tmp, len))
> > > + return -EFAULT;
> >
> > Infoleak, and similar in a lot of other places.
>
> I don't see a problem. copy_to_user() copies "len" bytes from "tmp".
[...]
> Can you please explain why there is an infoleak here?

I think you're *fixing* information leaks in the Alpha syscalls,
because a negative value of namelen used to result in a huge length
argument to copy_to_user().

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Attachment: signature.asc
Description: This is a digitally signed message part