Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

alpha: fix several security issues

Fix several security issues in Alpha-specific syscalls.  Untested, but
mostly trivial.

1. Signedness issue in osf_getdomainname allows copying out-of-bounds
kernel memory to userland.

2. Signedness issue in osf_sysinfo allows copying large amounts of
kernel memory to userland.

3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
size, allowing copying large amounts of kernel memory to userland.

4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
privilege escalation via writing return value of sys_wait4 to kernel
memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information...
commit 21c5977a836e399fc710ff2c5367845ed5c2527f 1 parent ec8f9ce
Dan Rosenberg authored committed

Showing 1 changed file with 7 additions and 4 deletions. Show diff stats Hide diff stats

  1. +7 4 arch/alpha/kernel/osf_sys.c
11 arch/alpha/kernel/osf_sys.c
@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
409 409 return -EFAULT;
410 410
411 411 len = namelen;
412   - if (namelen > 32)
  412 + if (len > 32)
413 413 len = 32;
414 414
415 415 down_read(&uts_sem);
@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
594 594 down_read(&uts_sem);
595 595 res = sysinfo_table[offset];
596 596 len = strlen(res)+1;
597   - if (len > count)
  597 + if ((unsigned long)len > (unsigned long)count)
598 598 len = count;
599 599 if (copy_to_user(buf, res, len))
600 600 err = -EFAULT;
@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
649 649 return 1;
650 650
651 651 case GSI_GET_HWRPB:
652   - if (nbytes < sizeof(*hwrpb))
  652 + if (nbytes > sizeof(*hwrpb))
653 653 return -EINVAL;
654 654 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
655 655 return -EFAULT;
@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
1008 1008 {
1009 1009 struct rusage r;
1010 1010 long ret, err;
  1011 + unsigned int status = 0;
1011 1012 mm_segment_t old_fs;
1012 1013
1013 1014 if (!ur)
@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
1016 1017 old_fs = get_fs();
1017 1018
1018 1019 set_fs (KERNEL_DS);
1019   - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
  1020 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
  1021 + (struct rusage __user *) &r);
1020 1022 set_fs (old_fs);
1021 1023
1022 1024 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
1023 1025 return -EFAULT;
1024 1026
1025 1027 err = 0;
  1028 + err |= put_user(status, ustatus);
1026 1029 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
1027 1030 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
1028 1031 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);

0 comments on commit 21c5977

Please sign in to comment.
Something went wrong with that request. Please try again.