[PATCH] fs: coda: fix a double-fetch case when copy data to req->uc_data

From: Kangjie Lu
Date: Tue Dec 25 2018 - 14:22:07 EST

Next message: Kangjie Lu: "[PATCH] wmi: avoid a double-fetch issue in wmi_ioctl"
Previous message: Kangjie Lu: "[PATCH] fs: coda: fix a double-fetch case in coda_psdev_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"hdr" has been copied in from user space and "hdr.opcode" is checked.
The code copies it again. User space data between the two copies is
subject to modification if the user-space code is multithreaded and
malicious. The modification may invalidate the check. The fix avoids
copying the header from user space again.

Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
---
fs/coda/psdev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
index fb4d1c654773..248d21f84b54 100644
--- a/fs/coda/psdev.c
+++ b/fs/coda/psdev.c
@@ -174,7 +174,10 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
hdr.opcode, hdr.unique);
nbytes = req->uc_outSize; /* don't have more space! */
}
- if (copy_from_user(req->uc_data, buf, nbytes)) {
+ *((struct coda_in_hdr *)req->uc_data) = hdr;
+ if (copy_from_user(req->uc_data + sizeof(hdr),
+ buf + sizeof(hdr),
+ nbytes - sizeof(hdr))) {
req->uc_flags |= CODA_REQ_ABORT;
wake_up(&req->uc_sleep);
retval = -EFAULT;
--
2.17.2 (Apple Git-113)

Next message: Kangjie Lu: "[PATCH] wmi: avoid a double-fetch issue in wmi_ioctl"
Previous message: Kangjie Lu: "[PATCH] fs: coda: fix a double-fetch case in coda_psdev_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]