From patchwork Wed Nov 2 17:02:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vaishali Thakkar X-Patchwork-Id: 9409557 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8488E601C2 for ; Wed, 2 Nov 2016 17:03:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71D132A49E for ; Wed, 2 Nov 2016 17:03:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 63EE62A4A1; Wed, 2 Nov 2016 17:03:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id AD9F92A49E for ; Wed, 2 Nov 2016 17:03:48 +0000 (UTC) Received: (qmail 27708 invoked by uid 550); 2 Nov 2016 17:03:46 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26590 invoked from network); 2 Nov 2016 17:03:34 -0000 From: Vaishali Thakkar To: kernel-hardening@lists.openwall.com Cc: Vaishali Thakkar Date: Wed, 2 Nov 2016 22:32:49 +0530 Message-Id: <1478106169-25770-1-git-send-email-vaishali.thakkar@oracle.com> X-Mailer: git-send-email 2.1.4 X-Source-IP: userv0021.oracle.com [156.151.31.71] Subject: [kernel-hardening] [RFC PATCH] lib: Harden csum_partial_copy_from_user X-Virus-Scanned: ClamAV using ClamSMTP The routine csum_partial_copy_from_user is same as csum_partial_copy but it copies from user space for the checksumming. In other respects it is identical, and can be used to copy an arbitrarily large buffer from userspace into the kernel. Conceptually this exposes a similar attack surface like copy_from_user. So, to validate the given address we should call check_object_size here. Note that in the absence of hardened usercopy this will have no impact. Signed-off-by: Vaishali Thakkar --- lib/checksum.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/checksum.c b/lib/checksum.c index d3ec93f..2e0fec8 100644 --- a/lib/checksum.c +++ b/lib/checksum.c @@ -33,6 +33,7 @@ kills, so most of the assembly has to go. */ #include +#include #include #include @@ -158,6 +159,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len, { int missing; + check_object_size(dst, len, false); missing = __copy_from_user(dst, src, len); if (missing) { memset(dst + len - missing, 0, missing);