On Fri, 9 Aug 2019, Alexander Popov wrote: > Hello everyone! > > On 27.03.2019 1:03, Jann Horn wrote: > > As sparse points out, these two copy_from_user() should actually be > > copy_to_user(). > > I've spent some time on these bugs, but it turned out that they are already public. > > I think Jann's patch is lost, it is not applied to the mainline. > So I add a new floppy maintainer Denis Efremov to CC. > > These bugs on x86_64 cause memset for the userspace memory from the kernelspace. > That is funny: > - access_ok for the copy_from_user source (2nd argument) returns zero; > - copy_from_user tries to erase the destination (1st argument); > - but the destination is in the userspace instead of kernelspace. > > So we have: > [ 40.937098] BUG: unable to handle page fault for address: 0000000041414242 > [ 40.938714] #PF: supervisor write access in kernel mode > [ 40.939951] #PF: error_code(0x0002) - not-present page > [ 40.941121] PGD 7963f067 P4D 7963f067 PUD 0 > [ 40.942107] Oops: 0002 [#1] SMP NOPTI > [ 40.942968] CPU: 0 PID: 292 Comm: d Not tainted 5.3.0-rc3+ #7 > [ 40.944288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > Ubuntu-1.8.2-1ubuntu1 04/01/2014 > [ 40.946478] RIP: 0010:__memset+0x24/0x30 > [ 40.947394] Code: 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83 e2 07 > 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 > d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3 > [ 40.951721] RSP: 0018:ffffc900003dbd58 EFLAGS: 00010206 > [ 40.952941] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000006 > [ 40.954592] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000041414242 > [ 40.956169] RBP: 0000000041414242 R08: ffffffff8200bd80 R09: 0000000041414242 > [ 40.957753] R10: 0000000000121806 R11: ffff88807da28ab0 R12: ffffc900003dbd7c > [ 40.959407] R13: 0000000000000001 R14: 0000000041414242 R15: 0000000041414242 > [ 40.961062] FS: 00007f91115c4440(0000) GS:ffff88807da00000(0000) > knlGS:0000000000000000 > [ 40.962603] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 40.963695] CR2: 0000000041414242 CR3: 000000007c584000 CR4: 00000000000006f0 > [ 40.965004] Call Trace: > [ 40.965459] _copy_from_user+0x51/0x60 > [ 40.966141] compat_getdrvstat+0x124/0x170 > [ 40.966781] fd_compat_ioctl+0x69c/0x6d0 > [ 40.967423] ? selinux_file_ioctl+0x16f/0x210 > [ 40.968117] compat_blkdev_ioctl+0x21d/0x8f0 > [ 40.968864] __x32_compat_sys_ioctl+0x99/0x250 > [ 40.969659] do_syscall_64+0x4a/0x110 > [ 40.970337] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > I haven't found a way to exploit it. > > > Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c") > > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Jann Horn <jannh@xxxxxxxxxx> > > Reviewed-by: Mukesh Ojha <mojha@xxxxxxxxxxxxxx> > > --- > > compile-tested only > > Acked-by: Alexander Popov <alex.popov@xxxxxxxxx> > > > drivers/block/floppy.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c > > index 95f608d1a098..8c641245ff12 100644 > > --- a/drivers/block/floppy.c > > +++ b/drivers/block/floppy.c > > @@ -3749,7 +3749,7 @@ static int compat_getdrvprm(int drive, > > v.native_format = UDP->native_format; > > mutex_unlock(&floppy_mutex); > > > > - if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_params))) > > + if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_params))) > > return -EFAULT; > > return 0; > > } > > @@ -3785,7 +3785,7 @@ static int compat_getdrvstat(int drive, bool poll, > > v.bufblocks = UDRS->bufblocks; > > mutex_unlock(&floppy_mutex); > > > > - if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_struct))) > > + if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_struct))) > > return -EFAULT; > > return 0; > > Eintr: > > > > I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle > experts to CC). > > > virtual report > > @cfu@ You can replace the above line with @cfu exists@. You want to find the existence of such a call, not ensure that the call occurs on every control-flow path, which is the default. Do you want this rule to go into the kernel? julia > identifier f; > type t; > identifier v; > position decl_p; > position copy_p; > @@ > > f(..., t v@decl_p, ...) > { > <+... > copy_from_user@copy_p(v, ...) > ...+> > } > > @script:python@ > f << cfu.f; > t << cfu.t; > v << cfu.v; > decl_p << cfu.decl_p; > copy_p << cfu.copy_p; > @@ > > if '__user' in t: > msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\"" > coccilib.report.print_report(decl_p[0], msg0) > msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n" > coccilib.report.print_report(copy_p[0], msg1) > > > The rule output: > > ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg" > of type "struct compat_floppy_drive_params __user *" > ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the > destination. What a shame! > > ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg" > of type "struct compat_floppy_drive_struct __user *" > ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the > destination. What a shame! > > > Best regards, > Alexander >