[dm-devel] [PATCH] dm ioctl: prevent stack leak in dm ioctl call
Adrian Salido
salidoa at google.com
Wed Apr 26 00:57:41 UTC 2017
the problem could be as simple as
On Tue, Apr 25, 2017 at 5:42 PM, Alasdair G Kergon <agk at redhat.com> wrote:
> On Tue, Apr 25, 2017 at 05:33:19PM -0700, Adrian Salido wrote:
>> it's actually the data portion of the struct under a custom user ioctl
>> where (param_kernel->data_size - minimum_data_size) <
>> sizeof(param_kernel->data)
>> Will update the patch to be clear
>
> Yes - but before updating the patch, we need to be clearer about the
> requirements of the ioctl here.
>
agreed
> Why are two different minimum data sizes used?
>
> If we let userspace send a truncated dm_ioctl struct, why are we not
> returning the same truncated one?
>
> Is this the bug?
> param->data_size = sizeof(*param);
the problem happens everytime ioctl_flags & IOCTL_FLAGS_NO_PARAMS (ex.
DM_DEV_STATUS_CMD)
1. param_kernel is allocated from stack and passed to copy_params
2. copy_params only copies up to param_kernel->data from user
(param_kernel->data still contains stack contents)
3. in copy_params, since there are no params it will skip through and
return param = dmi = param_kernel
4. that stale data is copied back to user
More information about the dm-devel
mailing list