From patchwork Sat Jun  3 14:52:42 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Demi Marie Obenour <demi@invisiblethingslab.com>
X-Patchwork-Id: 102845
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1700871vqr;
        Sat, 3 Jun 2023 07:54:40 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ45XqDrjoPFvms92izULYe1fcjLJy0VhFrYguRX0qY7VkN5X/Hij0czlYOA4Gs2hXqx3qkc
X-Received: by 2002:a17:902:c94e:b0:1ae:4c3b:bb0b with SMTP id
 i14-20020a170902c94e00b001ae4c3bbb0bmr1376974pla.5.1685804080246;
        Sat, 03 Jun 2023 07:54:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685804080; cv=none;
        d=google.com; s=arc-20160816;
        b=IHtRrVEM+MehBakM/To/Fbetr6jGBFS1Dr3A3Yh3W6KKiESWlvsHPgDH3yna1S6Kjv
         8p/I4sS0vli3n5hFEMHCOnr/rqLS0eJXPJYu/WZfy+rZDE3uZ4bmgsjGG7XtIGyHkdk7
         RCKB9KgVg4PAvYpuTSy8aclSOtaS/8b7TzlobJYJpiKKPCguxJLNMQXrIHpw/GZe6Fne
         89bEZeg7b+diiBscoc9HZpb3rYJXaJA9yoxLKtw1yEPhY1svxavdFcI7e1hzVBp6koYi
         Gbj0+Fr9sRnOoBbxNW8iEEbvIC1bq7hx5jHAJndES0YeFRr7OY2IWMefmaZDf0Ght9a5
         jsKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :feedback-id:dkim-signature:dkim-signature;
        bh=SGVGhCOi3wbBYhOjjO56k89nCKOx38H3KskyWEyWiGs=;
        b=TLq/r9AnPqu9LSAECweeMZrcK7qyPZW3h169CH+WfIc0Ss0xnYivATgZBQGhni53kn
         gIvbXZYlpDhqDRt88d7HJN1ifQvb9mBzwsxxyXhSub2dg8L+R9D6bWnyLlzPedqN+2wj
         b6AyLe/8ZE5TjHBxLA9/JVfgUwCyWUOZs+xfAxSlR0nYrCObrrMBiPaDgpqbnVyeeXxz
         QnoZF691CbmxHOt8uCLufRlfb3TUmzJOORE/GOymjtd4Q7KNpOz5vxQcUYgosoTSLjG/
         XIZRalkHrawfJgmI2MheYchjAOP/4bwGtwW35cpVDhgyh9yNYO3paU22uchYc98dByLf
         RCdQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@invisiblethingslab.com header.s=fm1
 header.b=Jp89MgG4;
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=UkziZXYY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 c10-20020a170903234a00b001a814f7db5fsi2678475plh.632.2023.06.03.07.54.25;
        Sat, 03 Jun 2023 07:54:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@invisiblethingslab.com header.s=fm1
 header.b=Jp89MgG4;
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=UkziZXYY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229788AbjFCOx1 (ORCPT <rfc822;limurcpp@gmail.com> + 99 others);
        Sat, 3 Jun 2023 10:53:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60842 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230216AbjFCOxU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 3 Jun 2023 10:53:20 -0400
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
 [66.111.4.26])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35E5318D;
        Sat,  3 Jun 2023 07:53:19 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
        by mailout.nyi.internal (Postfix) with ESMTP id A327A5C0159;
        Sat,  3 Jun 2023 10:53:18 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        invisiblethingslab.com; h=cc:cc:content-transfer-encoding
        :content-type:date:date:from:from:in-reply-to:in-reply-to
        :message-id:mime-version:references:reply-to:sender:subject
        :subject:to:to; s=fm1; t=1685803998; x=1685890398; bh=SGVGhCOi3w
        bBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=Jp89MgG4yUz6UPx66J59ThD/Bv
        3ZmoZxMs4OXV2lcM3NtGZ1+UwTxPbybEYji7PBUqV0YDPubWeHhoApOzzqgRunbx
        u/qf3o3FIUR7HBbfc7NkBLmBiEXcUzLwK/320g73bLp5ay2ZIWznc1FYUb3MSFtl
        59VocK8gNlxmhjSUSAZfrTNpmmx56seI0FFOELKYP+IWK4GOvswszANk66ngrsDG
        CyejlAATPIaaQkQzp88yGgiT6wFnN1mXxmZPe4XJJJGnH8ZrkvF2NZx2jJKjNeY9
        RR+AXGW+9HkZ3B8ek24czu+OkLOSH0RQS7TltXzpejPZiiohWxhF7DvT2UFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:cc:content-transfer-encoding
        :content-type:date:date:feedback-id:feedback-id:from:from
        :in-reply-to:in-reply-to:message-id:mime-version:references
        :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
        :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803998; x=
        1685890398; bh=SGVGhCOi3wbBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=U
        kziZXYYR49LS1/JS1PPJU3ZfdZdjsPIGAHpa1LSgkDMjoiXcnVMZMDTuW0VVTEc7
        Lf8QpJlAPv5+mQ165EPrrifFO1xdZr1ZeetZex2wKPImB2PPgPNE/k34wH4zIXiY
        RRJeW0O+OmNb0kamWKXl0CvoraCZuEdkiU35/mOAWXP9fMaC5riJxe0vE9+gzV+I
        uYfAbfwAgR8OeqlS9S5vhOscLXpBMdP2lI09LLqJtKiYjmxcbzT7sAZ6MZJeRGzt
        qxCFZbUW0jNtN286djwYT5SzDreLZNhjc4VUfwapiXizqb/ZXMZjNnZuRC44C2pU
        /1QYevHp01cFM8KqW3LWg==
X-ME-Sender: <xms:3lN7ZDh0ghprryGPMdaiACNxoWXEEKem6yL6dvmc3n-t-nETHQ_DdA>
    <xme:3lN7ZADoi3kninUTuKyUXtKvKRcNQP7vtLHwKQY9PtybFM5DKQjQa70QS46r8EmyY
    jnBp94KXrFfVJk>
X-ME-Received: 
 <xmr:3lN7ZDEgYkoYkalymaERFrHb-nZJ36wRxW6TUnSiDF3yNkxG26kICKyHuQeGldrxQzXxT5YA-ZM>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi
    ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh
    hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh
    gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepfeenuc
    frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs
    lhgrsgdrtghomh
X-ME-Proxy: <xmx:3lN7ZAQnw0SkrMHFCS0p0iopaEzemtYID1_vMBL78G5aKDJKd2XE4g>
    <xmx:3lN7ZAz5GEjqcHqmK8AqRBurFZGxdT4Yx3eFTmd4qfNzSMIyAhfgxw>
    <xmx:3lN7ZG5uWaIEqaxRGNfUBeLmI0boc_uTNYnsrB2PNvWHXv5nzwK1lw>
    <xmx:3lN7ZM_zq6bg6ishrr7qL4RYTXdtAYevKXPMS3sPIORVoqmAw8I1xw>
Feedback-ID: iac594737:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 3 Jun 2023 10:53:17 -0400 (EDT)
From: Demi Marie Obenour <demi@invisiblethingslab.com>
To: Alasdair Kergon <agk@redhat.com>,
        Mike Snitzer <snitzer@kernel.org>, dm-devel@redhat.com
Cc: Demi Marie Obenour <demi@invisiblethingslab.com>,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH v2 4/6] device-mapper: Avoid double-fetch of version
Date: Sat,  3 Jun 2023 10:52:42 -0400
Message-Id: <20230603145244.1538-5-demi@invisiblethingslab.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com>
References: <20230601212456.1533-1-demi@invisiblethingslab.com>
 <20230603145244.1538-1-demi@invisiblethingslab.com>
MIME-Version: 1.0
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767537482093037715?=
X-GMAIL-MSGID: =?utf-8?q?1767693699596583289?=

The version is fetched once in check_version(), which then does some
validation and then overwrites the version in userspace with the API
version supported by the kernel.  copy_params() then fetches the version
from userspace *again*, and this time no validation is done.  The result
is that the kernel's version number is completely controllable by
userspace, provided that userspace can win a race condition.

Fix this flaw by not copying the version back to the kernel the second
time.  This is not exploitable as the version is not further used in the
kernel.  However, it could become a problem if future patches start
relying on the version field.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 drivers/md/dm-ioctl.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index da6ca26b51d0953df380582bb3a51c2ec22c27cb..7510afe237d979a5ee71afe87a20d49f631de1aa 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1873,30 +1873,33 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
  * As well as checking the version compatibility this always
  * copies the kernel interface version out.
  */
-static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
+static int check_version(unsigned int cmd, struct dm_ioctl __user *user,
+			 struct dm_ioctl *kernel_params)
 {
-	uint32_t version[3];
 	int r = 0;
 
-	if (copy_from_user(version, user->version, sizeof(version)))
+	if (copy_from_user(kernel_params->version, user->version, sizeof(kernel_params->version)))
 		return -EFAULT;
 
-	if ((version[0] != DM_VERSION_MAJOR) ||
-	    (version[1] > DM_VERSION_MINOR)) {
+	if ((kernel_params->version[0] != DM_VERSION_MAJOR) ||
+	    (kernel_params->version[1] > DM_VERSION_MINOR)) {
 		DMERR("ioctl interface mismatch: kernel(%u.%u.%u), user(%u.%u.%u), cmd(%d)",
 		      DM_VERSION_MAJOR, DM_VERSION_MINOR,
 		      DM_VERSION_PATCHLEVEL,
-		      version[0], version[1], version[2], cmd);
+		      kernel_params->version[0],
+		      kernel_params->version[1],
+		      kernel_params->version[2],
+		      cmd);
 		r = -EINVAL;
 	}
 
 	/*
 	 * Fill in the kernel version.
 	 */
-	version[0] = DM_VERSION_MAJOR;
-	version[1] = DM_VERSION_MINOR;
-	version[2] = DM_VERSION_PATCHLEVEL;
-	if (copy_to_user(user->version, version, sizeof(version)))
+	kernel_params->version[0] = DM_VERSION_MAJOR;
+	kernel_params->version[1] = DM_VERSION_MINOR;
+	kernel_params->version[2] = DM_VERSION_PATCHLEVEL;
+	if (copy_to_user(user->version, kernel_params->version, sizeof(kernel_params->version)))
 		return -EFAULT;
 
 	return r;
@@ -1922,7 +1925,10 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
 	const size_t minimum_data_size = offsetof(struct dm_ioctl, data);
 	unsigned int noio_flag;
 
-	if (copy_from_user(param_kernel, user, minimum_data_size))
+	/* Version has been copied from userspace already, avoid TOCTOU */
+	if (copy_from_user((char *)param_kernel + sizeof(param_kernel->version),
+			   (char __user *)user + sizeof(param_kernel->version),
+			   minimum_data_size - sizeof(param_kernel->version)))
 		return -EFAULT;
 
 	if (param_kernel->data_size < minimum_data_size) {
@@ -2034,7 +2040,7 @@ static int ctl_ioctl(struct file *file, uint command, struct dm_ioctl __user *us
 	 * Check the interface version passed in.  This also
 	 * writes out the kernel's interface version.
 	 */
-	r = check_version(cmd, user);
+	r = check_version(cmd, user, &param_kernel);
 	if (r)
 		return r;