linux/drivers/acpi
Meng Xu 9edcad53d6 libnvdimm, nfit: move the check on nd_reserved2 to the endpoint
Delay the check of nd_reserved2 to the actual endpoint (acpi_nfit_ctl)
that uses it, as a prevention of a potential double-fetch bug.

While examining the kernel source code, I found a dangerous operation that
could turn into a double-fetch situation (a race condition bug) where
the same userspace memory region are fetched twice into kernel with sanity
checks after the first fetch while missing checks after the second fetch.

In the case of _IOC_NR(ioctl_cmd) == ND_CMD_CALL:

1. The first fetch happens in line 935 copy_from_user(&pkg, p, sizeof(pkg)

2. subsequently `pkg.nd_reserved2` is asserted to be all zeroes
(line 984 to 986).

3. The second fetch happens in line 1022 copy_from_user(buf, p, buf_len)

4. Given that `p` can be fully controlled in userspace, an attacker can
race condition to override the header part of `p`, say,
`((struct nd_cmd_pkg *)p)->nd_reserved2` to arbitrary value
(say nine 0xFFFFFFFF for `nd_reserved2`) after the first fetch but before the
second fetch. The changed value will be copied to `buf`.

5. There is no checks on the second fetches until the use of it in
line 1034: nd_cmd_clear_to_send(nvdimm_bus, nvdimm, cmd, buf) and
line 1038: nd_desc->ndctl(nd_desc, nvdimm, cmd, buf, buf_len, &cmd_rc)
which means that the assumed relation, `p->nd_reserved2` are all zeroes might
not hold after the second fetch. And once the control goes to these functions
we lose the context to assert the assumed relation.

6. Based on my manual analysis, `p->nd_reserved2` is not used in function
`nd_cmd_clear_to_send` and potential implementations of `nd_desc->ndctl`
so there is no working exploit against it right now. However, this could
easily turns to an exploitable one if careless developers start to use
`p->nd_reserved2` later and assume that they are all zeroes.

Move the validation of the nd_reserved2 field to the ->ndctl()
implementation where it has a stable buffer to evaluate.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2017-09-04 11:02:21 -07:00
..
acpica Merge branches 'acpi-pmic', 'acpi-misc' and 'acpi-tables' 2017-07-03 14:25:11 +02:00
apei arm64 updates for 4.13: 2017-07-05 17:09:27 -07:00
arm64 IOMMU Updates for Linux v4.13 2017-07-12 10:00:04 -07:00
dptf ACPI / DPTF: constify attribute_group structures 2017-07-04 22:15:28 +02:00
nfit libnvdimm, nfit: move the check on nd_reserved2 to the endpoint 2017-09-04 11:02:21 -07:00
pmic ACPI / PMIC: xpower: Add support for the GPI1 regulator to the OpRegion handler 2017-06-22 02:15:05 +02:00
x86 ACPI / x86: Add KIOX000A accelerometer on GPD win to always_present_ids array 2017-07-12 13:26:13 +02:00
ac.c ACPI / AC: Add a blacklist with PMIC ACPI HIDs with a native charger driver 2017-04-19 22:53:35 +02:00
acpi_amba.c
acpi_apd.c ACPI: APD: Fix HID for Hisilicon Hip07/08 2017-07-30 14:33:48 +02:00
acpi_cmos_rtc.c
acpi_configfs.c ACPI: configfs: Unload SSDT on configfs entry removal 2017-06-22 02:43:12 +02:00
acpi_dbg.c ACPI: fix whitespace in pr_fmt() to align log entries 2017-06-22 02:18:20 +02:00
acpi_extlog.c ACPI: Switch to use generic guid_t in acpi_evaluate_dsm() 2017-06-07 12:20:49 +02:00
acpi_ipmi.c ACPI / IPMI: change warning to debug on timeout 2017-04-07 12:25:37 -05:00
acpi_lpat.c
acpi_lpss.c Merge branches 'acpi-soc', 'acpi-wdat' and 'acpi-cppc' 2017-08-03 20:30:18 +02:00
acpi_memhotplug.c
acpi_pad.c sched/headers: Prepare for new header dependencies before moving code to <uapi/linux/sched/types.h> 2017-03-02 08:42:27 +01:00
acpi_platform.c ACPI / platform: Update platform device NUMA node based on _PXM method 2017-04-18 16:56:39 +02:00
acpi_pnp.c
acpi_processor.c ACPI / Processor: Drop setup_max_cpus check from acpi_processor_add() 2017-04-18 16:50:24 +02:00
acpi_video.c ACPI / video: add comments about subtle cases 2017-04-19 22:50:11 +02:00
acpi_watchdog.c ACPI / watchdog: Fix init failure with overlapping register regions 2017-07-26 02:09:41 +02:00
battery.c ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle 2017-06-15 00:55:44 +02:00
battery.h
bgrt.c ACPI: BGRT: constify attribute_group structures 2017-07-04 22:15:20 +02:00
blacklist.c ACPI / blacklist: add _REV quirk for Dell Inspiron 7537 2017-04-19 02:35:54 +02:00
bus.c Merge branches 'acpi-spcr', 'acpi-osi', 'acpi-bus', 'acpi-scan' and 'acpi-misc' 2017-07-10 22:46:21 +02:00
button.c ACPI updates for v4.13-rc1 2017-07-04 14:16:49 -07:00
cm_sbs.c
container.c
cppc_acpi.c scripts/spelling.txt: add regsiter -> register spelling mistake 2017-05-08 17:15:13 -07:00
custom_method.c
debugfs.c
device_pm.c Device properties framework updates for v4.13-rc1 2017-07-10 15:23:45 -07:00
device_sysfs.c
dock.c
ec_sys.c
ec.c ACPI / PM / EC: Flush all EC work in acpi_freeze_sync() 2017-07-20 16:44:24 +02:00
event.c
evged.c
fan.c
glue.c IOMMU Updates for Linux v4.12 2017-05-09 15:15:47 -07:00
hed.c
internal.h ACPI / PM / EC: Flush all EC work in acpi_freeze_sync() 2017-07-20 16:44:24 +02:00
ioapic.c ACPI: fix whitespace in pr_fmt() to align log entries 2017-06-22 02:18:20 +02:00
irq.c ACPI / irq: Fix return code of acpi_gsi_to_irq() 2017-07-12 13:11:49 +02:00
Kconfig - New Drivers 2017-05-03 12:16:25 -07:00
Makefile Merge branches 'acpi-soc', 'acpi-bus', 'acpi-pmic' and 'acpi-power' 2017-05-09 23:23:02 +02:00
numa.c ACPI: NUMA: Fix typo in the full name of SRAT 2017-07-24 22:27:44 +02:00
nvs.c
osi.c ACPI / osi: Make local function acpi_osi_dmi_linux() static 2017-07-04 21:35:19 +02:00
osl.c
pci_irq.c
pci_link.c
pci_mcfg.c PCI/ACPI: Add ThunderX pass2.x 2nd node MCFG quirk 2017-04-24 11:58:56 -05:00
pci_root.c Power management updates for v4.13-rc1 2017-07-04 13:39:41 -07:00
pci_slot.c
power.c ACPI / power: constify attribute_group structures 2017-07-04 22:15:14 +02:00
proc.c ACPI / PM: Drop run_wake from struct acpi_device_wakeup_flags 2017-06-28 01:52:15 +02:00
processor_core.c Revert"x86/acpi: Enable MADT APIs to return disabled apicids" 2017-03-11 14:41:18 +01:00
processor_driver.c ACPI/processor: Use cpu_hotplug_disable() instead of get_online_cpus() 2017-05-26 10:10:44 +02:00
processor_idle.c
processor_pdc.c
processor_perflib.c
processor_thermal.c
processor_throttling.c acpi/processor: Prevent cpu hotplug deadlock 2017-05-26 10:10:47 +02:00
property.c device property: Introduce fwnode_device_is_available() 2017-06-22 02:55:34 +02:00
reboot.c
resource.c scripts/spelling.txt: add "overrided" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
sbs.c
sbshc.c
sbshc.h
scan.c Device properties framework updates for v4.13-rc1 2017-07-10 15:23:45 -07:00
sleep.c ACPI / PM / EC: Flush all EC work in acpi_freeze_sync() 2017-07-20 16:44:24 +02:00
sleep.h ACPI / power: Delay turning off unused power resources after suspend 2017-05-01 23:11:21 +02:00
spcr.c tty: pl011: fix initialization order of QDF2400 E44 2017-07-30 07:53:44 -07:00
sysfs.c Merge branches 'acpi-button', 'acpica' and 'acpi-sysfs' 2017-06-03 00:03:29 +02:00
tables.c Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 20:51:12 -07:00
thermal.c
utils.c ACPI: Switch to use generic guid_t in acpi_evaluate_dsm() 2017-06-07 12:20:49 +02:00
video_detect.c ACPI / video: Add quirks for the Dell Precision 7510 2017-06-28 23:41:03 +02:00
wakeup.c