From patchwork Tue Jan  8 20:58:20 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herton Ronaldo Krzesinski
 <herton.krzesinski@canonical.com>
X-Patchwork-Id: 210527
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 35BD02C0093
	for <incoming@patchwork.ozlabs.org>;
	Wed,  9 Jan 2013 07:58:54 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1TsgFy-00013m-Tl; Tue, 08 Jan 2013 20:58:46 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <herton.krzesinski@canonical.com>) id 1TsgFc-0000qW-Ls
	for kernel-team@lists.ubuntu.com; Tue, 08 Jan 2013 20:58:26 +0000
Received: from 189.58.23.196.dynamic.adsl.gvt.net.br ([189.58.23.196]
	helo=canonical.com) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71)
	(envelope-from <herton.krzesinski@canonical.com>)
	id 1TsgFb-00048p-VK; Tue, 08 Jan 2013 20:58:24 +0000
From: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
To: Alasdair G Kergon <agk@redhat.com>
Subject: [ 3.5.y.z extended stable ] Patch "dm ioctl: prevent unsafe change
	to dm_ioctl data_size" has been added to staging queue
Date: Tue,  8 Jan 2013 18:58:20 -0200
Message-Id: 
 <1357678700-20830-1-git-send-email-herton.krzesinski@canonical.com>
X-Mailer: git-send-email 1.7.9.5
X-Extended-Stable: 3.5
Cc: kernel-team@lists.ubuntu.com, Mikulas Patocka <mpatocka@redhat.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    dm ioctl: prevent unsafe change to dm_ioctl data_size

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Herton

------

From e31c1b854516407e718ae3e4118db25b9e9b6205 Mon Sep 17 00:00:00 2001
From: Alasdair G Kergon <agk@redhat.com>
Date: Fri, 21 Dec 2012 20:23:30 +0000
Subject: [PATCH 27/27] dm ioctl: prevent unsafe change to dm_ioctl data_size

commit e910d7ebecd1aac43125944a8641b6cb1a0dfabe upstream.

Abort dm ioctl processing if userspace changes the data_size parameter
after we validated it but before we finished copying the data buffer
from userspace.

The dm ioctl parameters are processed in the following sequence:
 1. ctl_ioctl() calls copy_params();
 2. copy_params() makes a first copy of the fixed-sized portion of the
    userspace parameters into the local variable "tmp";
 3. copy_params() then validates tmp.data_size and allocates a new
    structure big enough to hold the complete data and copies the whole
    userspace buffer there;
 4. ctl_ioctl() reads userspace data the second time and copies the whole
    buffer into the pointer "param";
 5. ctl_ioctl() reads param->data_size without any validation and stores it
    in the variable "input_param_size";
 6. "input_param_size" is further used as the authoritative size of the
    kernel buffer.

The problem is that userspace code could change the contents of user
memory between steps 2 and 4.  In particular, the data_size parameter
can be changed to an invalid value after the kernel has validated it.
This lets userspace force the kernel to access invalid kernel memory.

The fix is to ensure that the size has not changed at step 4.

This patch shouldn't have a security impact because CAP_SYS_ADMIN is
required to run this code, but it should be fixed anyway.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 drivers/md/dm-ioctl.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--
1.7.9.5

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index a1a3e6d..f011d4b 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1563,6 +1563,14 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl **param)
 	if (copy_from_user(dmi, user, tmp.data_size))
 		goto bad;

+	/*
+	 * Abort if something changed the ioctl data while it was being copied.
+	 */
+	if (dmi->data_size != tmp.data_size) {
+		DMERR("rejecting ioctl: data size modified while processing parameters");
+		goto bad;
+	}
+
 	/* Wipe the user buffer so we do not return it to userspace */
 	if (secure_data && clear_user(user, tmp.data_size))
 		goto bad;