Commit 21c5977a authored by Dan Rosenberg's avatar Dan Rosenberg Committed by Linus Torvalds

alpha: fix several security issues

Fix several security issues in Alpha-specific syscalls.  Untested, but
mostly trivial.

1. Signedness issue in osf_getdomainname allows copying out-of-bounds
kernel memory to userland.

2. Signedness issue in osf_sysinfo allows copying large amounts of
kernel memory to userland.

3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
size, allowing copying large amounts of kernel memory to userland.

4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
privilege escalation via writing return value of sys_wait4 to kernel
memory.
Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent ec8f9cea
...@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen) ...@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
return -EFAULT; return -EFAULT;
len = namelen; len = namelen;
if (namelen > 32) if (len > 32)
len = 32; len = 32;
down_read(&uts_sem); down_read(&uts_sem);
...@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count) ...@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
down_read(&uts_sem); down_read(&uts_sem);
res = sysinfo_table[offset]; res = sysinfo_table[offset];
len = strlen(res)+1; len = strlen(res)+1;
if (len > count) if ((unsigned long)len > (unsigned long)count)
len = count; len = count;
if (copy_to_user(buf, res, len)) if (copy_to_user(buf, res, len))
err = -EFAULT; err = -EFAULT;
...@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer, ...@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
return 1; return 1;
case GSI_GET_HWRPB: case GSI_GET_HWRPB:
if (nbytes < sizeof(*hwrpb)) if (nbytes > sizeof(*hwrpb))
return -EINVAL; return -EINVAL;
if (copy_to_user(buffer, hwrpb, nbytes) != 0) if (copy_to_user(buffer, hwrpb, nbytes) != 0)
return -EFAULT; return -EFAULT;
...@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, ...@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
{ {
struct rusage r; struct rusage r;
long ret, err; long ret, err;
unsigned int status = 0;
mm_segment_t old_fs; mm_segment_t old_fs;
if (!ur) if (!ur)
...@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, ...@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
old_fs = get_fs(); old_fs = get_fs();
set_fs (KERNEL_DS); set_fs (KERNEL_DS);
ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ret = sys_wait4(pid, (unsigned int __user *) &status, options,
(struct rusage __user *) &r);
set_fs (old_fs); set_fs (old_fs);
if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
return -EFAULT; return -EFAULT;
err = 0; err = 0;
err |= put_user(status, ustatus);
err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment