• Stefan Richter's avatar
    firewire: cdev: prevent kernel stack leaking into ioctl arguments · cec4c7e4
    Stefan Richter authored
    commit eaca2d8e upstream.
    
    Found by the UC-KLEE tool:  A user could supply less input to
    firewire-cdev ioctls than write- or write/read-type ioctl handlers
    expect.  The handlers used data from uninitialized kernel stack then.
    
    This could partially leak back to the user if the kernel subsequently
    generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
    which notably would contain the _u64 closure field which many of the
    ioctl argument structures contain.
    
    The fact that the handlers would act on random garbage input is a
    lesser issue since all handlers must check their input anyway.
    
    The fix simply always null-initializes the entire ioctl argument buffer
    regardless of the actual length of expected user input.  That is, a
    runtime overhead of memset(..., 40) is added to each firewirew-cdev
    ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
    most likely to be already in the cache.]
    
    Remarks:
      - There was never any leak from kernel stack to the ioctl output
        buffer itself.  IOW, it was not possible to read kernel stack by a
        read-type or write/read-type ioctl alone; the leak could at most
        happen in combination with read()ing subsequent event data.
      - The actual expected minimum user input of each ioctl from
        include/uapi/linux/firewire-cdev.h is, in bytes:
        [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
        [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
        [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
        [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
        [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
    Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
    Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    cec4c7e4
core-cdev.c 46.2 KB