linux/drivers/nvdimm
Meng Xu 9edcad53d6 libnvdimm, nfit: move the check on nd_reserved2 to the endpoint
Delay the check of nd_reserved2 to the actual endpoint (acpi_nfit_ctl)
that uses it, as a prevention of a potential double-fetch bug.

While examining the kernel source code, I found a dangerous operation that
could turn into a double-fetch situation (a race condition bug) where
the same userspace memory region are fetched twice into kernel with sanity
checks after the first fetch while missing checks after the second fetch.

In the case of _IOC_NR(ioctl_cmd) == ND_CMD_CALL:

1. The first fetch happens in line 935 copy_from_user(&pkg, p, sizeof(pkg)

2. subsequently `pkg.nd_reserved2` is asserted to be all zeroes
(line 984 to 986).

3. The second fetch happens in line 1022 copy_from_user(buf, p, buf_len)

4. Given that `p` can be fully controlled in userspace, an attacker can
race condition to override the header part of `p`, say,
`((struct nd_cmd_pkg *)p)->nd_reserved2` to arbitrary value
(say nine 0xFFFFFFFF for `nd_reserved2`) after the first fetch but before the
second fetch. The changed value will be copied to `buf`.

5. There is no checks on the second fetches until the use of it in
line 1034: nd_cmd_clear_to_send(nvdimm_bus, nvdimm, cmd, buf) and
line 1038: nd_desc->ndctl(nd_desc, nvdimm, cmd, buf, buf_len, &cmd_rc)
which means that the assumed relation, `p->nd_reserved2` are all zeroes might
not hold after the second fetch. And once the control goes to these functions
we lose the context to assert the assumed relation.

6. Based on my manual analysis, `p->nd_reserved2` is not used in function
`nd_cmd_clear_to_send` and potential implementations of `nd_desc->ndctl`
so there is no working exploit against it right now. However, this could
easily turns to an exploitable one if careless developers start to use
`p->nd_reserved2` later and assume that they are all zeroes.

Move the validation of the nd_reserved2 field to the ->ndctl()
implementation where it has a stable buffer to evaluate.

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2017-09-04 11:02:21 -07:00
..
blk.c block: guard bvec iteration logic 2017-07-03 16:56:26 -06:00
btt_devs.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
btt.c libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
btt.h libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
bus.c libnvdimm, nfit: move the check on nd_reserved2 to the endpoint 2017-09-04 11:02:21 -07:00
claim.c libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
core.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
dax_devs.c Merge branch 'for-4.13/dax' into libnvdimm-for-next 2017-07-03 16:54:58 -07:00
dimm_devs.c libnvdimm, nfit: enable support for volatile ranges 2017-06-27 16:44:13 -07:00
dimm.c libnvdimm: handle locked label storage areas 2017-05-04 15:41:39 -07:00
e820.c libnvdimm, e820: use module_platform_driver 2016-12-05 08:52:21 -08:00
Kconfig pmem: add dax_operations support 2017-04-19 15:14:35 -07:00
label.c libnvdimm, label: fix index block size calculation 2017-08-29 18:28:18 -07:00
label.h libnvdimm, btt: BTT updates for UEFI 2.7 format 2017-06-29 13:50:38 -07:00
Makefile libnvdimm, dax: introduce device-dax infrastructure 2016-05-09 15:35:42 -07:00
namespace_devs.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
nd-core.h libnvdimm, nfit: enable support for volatile ranges 2017-06-27 16:44:13 -07:00
nd.h libnvdimm, label: fix index block size calculation 2017-08-29 18:28:18 -07:00
pfn_devs.c libnvdimm, pfn, dax: limit namespace alignments to the supported set 2017-08-15 09:32:12 -07:00
pfn.h libnvdimm, dax: autodetect support 2016-05-20 22:02:57 -07:00
pmem.c libnvdimm for 4.13 2017-07-07 09:44:06 -07:00
pmem.h libnvdimm, nd_blk: remove mmio_flush_range() 2017-08-31 15:05:10 -07:00
region_devs.c nfit, libnvdimm, region: export 'position' in mapping info 2017-08-04 17:20:16 -07:00
region.c libnvdimm, region, pmem: fix 'badblocks' sysfs_get_dirent() reference lifetime 2017-06-30 18:56:03 -07:00