mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-29 23:53:32 +00:00
4e9b45a192
On 64 bit systems the test for negative message sizes is bogus as the size, which may be positive when evaluated as a long, will get truncated to an int when passed to load_msg(). So a long might very well contain a positive value but when truncated to an int it would become negative. That in combination with a small negative value of msg_ctlmax (which will be promoted to an unsigned type for the comparison against msgsz, making it a big positive value and therefore make it pass the check) will lead to two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too small buffer as the addition of alen is effectively a subtraction. 2/ The copy_from_user() call in load_msg() will first overflow the buffer with userland data and then, when the userland access generates an access violation, the fixup handler copy_user_handle_tail() will try to fill the remainder with zeros -- roughly 4GB. That almost instantly results in a system crash or reset. ,-[ Reproducer (needs to be run as root) ]-- | #include <sys/stat.h> | #include <sys/msg.h> | #include <unistd.h> | #include <fcntl.h> | | int main(void) { | long msg = 1; | int fd; | | fd = open("/proc/sys/kernel/msgmax", O_WRONLY); | write(fd, "-1", 2); | close(fd); | | msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT); | | return 0; | } '--- Fix the issue by preventing msgsz from getting truncated by consistently using size_t for the message length. This way the size checks in do_msgsnd() could still be passed with a negative value for msg_ctlmax but we would fail on the buffer allocation in that case and error out. Also change the type of m_ts from int to size_t to avoid similar nastiness in other code paths -- it is used in similar constructs, i.e. signed vs. unsigned checks. It should never become negative under normal circumstances, though. Setting msg_ctlmax to a negative value is an odd configuration and should be prevented. As that might break existing userland, it will be handled in a separate commit so it could easily be reverted and reworked without reintroducing the above described bug. Hardening mechanisms for user copy operations would have catched that bug early -- e.g. checking slab object sizes on user copy operations as the usercopy feature of the PaX patch does. Or, for that matter, detect the long vs. int sign change due to truncation, as the size overflow plugin of the very same patch does. [akpm@linux-foundation.org: fix i386 min() warnings] Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Pax Team <pageexec@freemail.hu> Cc: Davidlohr Bueso <davidlohr@hp.com> Cc: Brad Spengler <spender@grsecurity.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> [ v2.3.27+ -- yes, that old ;) ] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
182 lines
3.6 KiB
C
182 lines
3.6 KiB
C
/*
|
|
* linux/ipc/msgutil.c
|
|
* Copyright (C) 1999, 2004 Manfred Spraul
|
|
*
|
|
* This file is released under GNU General Public Licence version 2 or
|
|
* (at your option) any later version.
|
|
*
|
|
* See the file COPYING for more details.
|
|
*/
|
|
|
|
#include <linux/spinlock.h>
|
|
#include <linux/init.h>
|
|
#include <linux/security.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/ipc.h>
|
|
#include <linux/msg.h>
|
|
#include <linux/ipc_namespace.h>
|
|
#include <linux/utsname.h>
|
|
#include <linux/proc_ns.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
#include "util.h"
|
|
|
|
DEFINE_SPINLOCK(mq_lock);
|
|
|
|
/*
|
|
* The next 2 defines are here bc this is the only file
|
|
* compiled when either CONFIG_SYSVIPC and CONFIG_POSIX_MQUEUE
|
|
* and not CONFIG_IPC_NS.
|
|
*/
|
|
struct ipc_namespace init_ipc_ns = {
|
|
.count = ATOMIC_INIT(1),
|
|
.user_ns = &init_user_ns,
|
|
.proc_inum = PROC_IPC_INIT_INO,
|
|
};
|
|
|
|
atomic_t nr_ipc_ns = ATOMIC_INIT(1);
|
|
|
|
struct msg_msgseg {
|
|
struct msg_msgseg *next;
|
|
/* the next part of the message follows immediately */
|
|
};
|
|
|
|
#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg))
|
|
#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg))
|
|
|
|
|
|
static struct msg_msg *alloc_msg(size_t len)
|
|
{
|
|
struct msg_msg *msg;
|
|
struct msg_msgseg **pseg;
|
|
size_t alen;
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL);
|
|
if (msg == NULL)
|
|
return NULL;
|
|
|
|
msg->next = NULL;
|
|
msg->security = NULL;
|
|
|
|
len -= alen;
|
|
pseg = &msg->next;
|
|
while (len > 0) {
|
|
struct msg_msgseg *seg;
|
|
alen = min(len, DATALEN_SEG);
|
|
seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL);
|
|
if (seg == NULL)
|
|
goto out_err;
|
|
*pseg = seg;
|
|
seg->next = NULL;
|
|
pseg = &seg->next;
|
|
len -= alen;
|
|
}
|
|
|
|
return msg;
|
|
|
|
out_err:
|
|
free_msg(msg);
|
|
return NULL;
|
|
}
|
|
|
|
struct msg_msg *load_msg(const void __user *src, size_t len)
|
|
{
|
|
struct msg_msg *msg;
|
|
struct msg_msgseg *seg;
|
|
int err = -EFAULT;
|
|
size_t alen;
|
|
|
|
msg = alloc_msg(len);
|
|
if (msg == NULL)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
if (copy_from_user(msg + 1, src, alen))
|
|
goto out_err;
|
|
|
|
for (seg = msg->next; seg != NULL; seg = seg->next) {
|
|
len -= alen;
|
|
src = (char __user *)src + alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
if (copy_from_user(seg + 1, src, alen))
|
|
goto out_err;
|
|
}
|
|
|
|
err = security_msg_msg_alloc(msg);
|
|
if (err)
|
|
goto out_err;
|
|
|
|
return msg;
|
|
|
|
out_err:
|
|
free_msg(msg);
|
|
return ERR_PTR(err);
|
|
}
|
|
#ifdef CONFIG_CHECKPOINT_RESTORE
|
|
struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
|
|
{
|
|
struct msg_msgseg *dst_pseg, *src_pseg;
|
|
size_t len = src->m_ts;
|
|
size_t alen;
|
|
|
|
BUG_ON(dst == NULL);
|
|
if (src->m_ts > dst->m_ts)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
memcpy(dst + 1, src + 1, alen);
|
|
|
|
for (dst_pseg = dst->next, src_pseg = src->next;
|
|
src_pseg != NULL;
|
|
dst_pseg = dst_pseg->next, src_pseg = src_pseg->next) {
|
|
|
|
len -= alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
memcpy(dst_pseg + 1, src_pseg + 1, alen);
|
|
}
|
|
|
|
dst->m_type = src->m_type;
|
|
dst->m_ts = src->m_ts;
|
|
|
|
return dst;
|
|
}
|
|
#else
|
|
struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
|
|
{
|
|
return ERR_PTR(-ENOSYS);
|
|
}
|
|
#endif
|
|
int store_msg(void __user *dest, struct msg_msg *msg, size_t len)
|
|
{
|
|
size_t alen;
|
|
struct msg_msgseg *seg;
|
|
|
|
alen = min(len, DATALEN_MSG);
|
|
if (copy_to_user(dest, msg + 1, alen))
|
|
return -1;
|
|
|
|
for (seg = msg->next; seg != NULL; seg = seg->next) {
|
|
len -= alen;
|
|
dest = (char __user *)dest + alen;
|
|
alen = min(len, DATALEN_SEG);
|
|
if (copy_to_user(dest, seg + 1, alen))
|
|
return -1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void free_msg(struct msg_msg *msg)
|
|
{
|
|
struct msg_msgseg *seg;
|
|
|
|
security_msg_msg_free(msg);
|
|
|
|
seg = msg->next;
|
|
kfree(msg);
|
|
while (seg != NULL) {
|
|
struct msg_msgseg *tmp = seg->next;
|
|
kfree(seg);
|
|
seg = tmp;
|
|
}
|
|
}
|