[v3] fix stack overflow in pktgen_if_write()

Nelson Elhage says he was able to oops both amd64 and i386 test 
machines with 8k writes to the pktgen file.  Let's just allocate the
buffer on the heap instead of on the stack.

This can only be triggered by root so there are no security issues here.

Reported-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
v3:  just use kmalloc()

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

You've got a leak if copy_user fails.

While testing this, I realized that printk() won't print more than 1k in a
single call, anyways, so I've sent along a patch that just copies up to 1k onto
the stack, which should prevent the overflow without changing behavior or
needing a heap allocation.

- Nelson

On Thu, Oct 28, 2010 at 08:05:29AM +0200, Dan Carpenter wrote:
> Nelson Elhage says he was able to oops both amd64 and i386 test 
> machines with 8k writes to the pktgen file.  Let's just allocate the
> buffer on the heap instead of on the stack.
> 
> This can only be triggered by root so there are no security issues here.
> 
> Reported-by: Nelson Elhage <nelhage@ksplice.com>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> v3:  just use kmalloc()
> 
> diff --git a/net/core/pktgen.c b/net/core/pktgen.c
> index 2c0df0f..c8d3620 100644
> --- a/net/core/pktgen.c
> +++ b/net/core/pktgen.c
> @@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file,
>  	i += len;
>  
>  	if (debug) {
> -		char tb[count + 1];
> +		char *tb;
> +
> +		tb = kmalloc(count + 1, GFP_KERNEL);
> +		if (!tb)
> +			return -ENOMEM;
>  		if (copy_from_user(tb, user_buffer, count))
>  			return -EFAULT;
>  		tb[count] = 0;
>  		printk(KERN_DEBUG "pktgen: %s,%lu  buffer -:%s:-\n", name,
>  		       (unsigned long)count, tb);
> +		kfree(tb);
>  	}
>  
>  	if (!strcmp(name, "min_pkt_size")) {
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Thu, Oct 28, 2010 at 11:22:22AM -0400, Nelson Elhage wrote:
> You've got a leak if copy_user fails.
> 

My QC scripts should have caught that, but they didn't...  I'll figure
it out.  It shouldn't happen again.

> While testing this, I realized that printk() won't print more than 1k in a
> single call, anyways, so I've sent along a patch that just copies up to 1k onto
> the stack, which should prevent the overflow without changing behavior or
> needing a heap allocation.
> 

Ok.  Good to hear.  Sorry I wasted people's time.

regards,
dan carpenter


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Thu, Oct 28, 2010 at 06:28:25PM +0200, Dan Carpenter wrote:
> On Thu, Oct 28, 2010 at 11:22:22AM -0400, Nelson Elhage wrote:
> > You've got a leak if copy_user fails.
> > 
> 
> My QC scripts should have caught that, but they didn't...  I'll figure
> it out.  It shouldn't happen again.
> 
> > While testing this, I realized that printk() won't print more than 1k in a
> > single call, anyways, so I've sent along a patch that just copies up to 1k onto
> > the stack, which should prevent the overflow without changing behavior or
> > needing a heap allocation.
> > 
> 
> Ok.  Good to hear.  Sorry I wasted people's time.

No worries. I appreciate you jumping in to help, even if it looks like the
approach wasn't needed in the end.

- Nelson

> 
> regards,
> dan carpenter
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Dan Carpenter <error27@gmail.com> writes:

> Reported-by: Nelson Elhage <nelhage@ksplice.com>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> v3:  just use kmalloc()
>
> diff --git a/net/core/pktgen.c b/net/core/pktgen.c
> index 2c0df0f..c8d3620 100644
> --- a/net/core/pktgen.c
> +++ b/net/core/pktgen.c
> @@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file,
>  	i += len;
>  
>  	if (debug) {
> -		char tb[count + 1];
> +		char *tb;
> +
> +		tb = kmalloc(count + 1, GFP_KERNEL);


This is still trivially exploitable (for root) -- think what happens
when count is near ULONG_MAX

-Andi

> > @@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file,
> >  	i += len;
> >  
> >  	if (debug) {
> > -		char tb[count + 1];
> > +		char *tb;
> > +
> > +		tb = kmalloc(count + 1, GFP_KERNEL);
> 
> 
> This is still trivially exploitable (for root) -- think what happens
> when count is near ULONG_MAX
> 

In vfs_write() we call rw_verify_area() which caps count at INT_MAX or
LONG_MAX.

        if (unlikely((ssize_t) count < 0))
                return retval;

So I get lucky this time...  ;)

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html