Re: [PATCH] stm class: fix a missing-check bug
From: Alexander Shishkin
Date: Wed Oct 03 2018 - 03:57:14 EST
Wenwen Wang <wang6495@xxxxxxx> writes:
> In stm_char_policy_set_ioctl(), the 'size' field of the struct
> 'stp_polic_id' is firstly copied from the user space and then checked,
> because the length of the 'id' field in this struct, which represents an
> identification string, is not fixed. If the 'size' field cannot pass the
> check, an error code EINVAL will be returned. However, after the check, the
> whole struct is copied again from the user space. Given that the user data
> resides in the user space, a malicious user-space process can race to
> change the size between the two copies. By doing so, the attacker can
> bypass the check on the 'size' field and inject malicious data.
How? The id->size is not used for anything.
And even if there was a problem, this:
> - if (copy_from_user(id, arg, size)) {
> + if (copy_from_user(&id->master, (char __user *)arg + sizeof(size),
> + size - sizeof(size))) {
is completely pointless.
> ret = -EFAULT;
> goto err_free;
> }
>
> + id->size = size;
So, if we did use id->size after the copying, we'd indeed have this line
in the code. But since we don't, it's also pointless, so it's not there.
Thanks,
--
Alex