Re: [PATCH] stm class: fix a missing-check bug

[Alexander Shishkin]

Wenwen Wang <wang6495@xxxxxxx> writes:

> In stm_char_policy_set_ioctl(), the 'size' field of the struct
> 'stp_polic_id' is firstly copied from the user space and then checked,
> because the length of the 'id' field in this struct, which represents an
> identification string, is not fixed. If the 'size' field cannot pass the
> check, an error code EINVAL will be returned. However, after the check, the
> whole struct is copied again from the user space. Given that the user data
> resides in the user space, a malicious user-space process can race to
> change the size between the two copies. By doing so, the attacker can
> bypass the check on the 'size' field and inject malicious data.

How? The id->size is not used for anything.

And even if there was a problem, this:

> -	if (copy_from_user(id, arg, size)) {
> +	if (copy_from_user(&id->master, (char __user *)arg + sizeof(size),
> +				size - sizeof(size))) {

is completely pointless.

>  		ret = -EFAULT;
>  		goto err_free;
>  	}
>  
> +	id->size = size;

So, if we did use id->size after the copying, we'd indeed have this line
in the code. But since we don't, it's also pointless, so it's not there.

Thanks,
--
Alex