git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Wenwen Wang <wang6495@umn.edu>
	Fri, 5 Oct 2018 15:59:36 +0000 (10:59 -0500)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:54:57 +0000 (19:54 -0600)
commit	ae2c5668bf98c8394f95834dde00364bbc1ed401
tree	08e30cb9fe04ba8f9a63e17936c199c99bb4cd63	tree
parent	d70894af95893e667d7264ff92f65bf3fc6876a7	commit \| diff

yam: fix a missing-check bug

BugLink: https://bugs.launchpad.net/bugs/1836654
[ Upstream commit 0781168e23a2fc8dceb989f11fc5b39b3ccacc35 ]

In yam_ioctl(), the concrete ioctl command is firstly copied from the
user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
following switch statement. If the command is not as expected, an error
code EINVAL is returned. In the following execution the buffer
'ifr->ifr_data' is copied again in the cases of the switch statement to
specific data structures according to what kind of ioctl command is
requested. However, after the second copy, no re-check is enforced on the
newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
space, a malicious user can race to change the command between the two
copies. This way, the attacker can inject inconsistent data and cause
undefined behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>