From patchwork Tue Feb 25 16:20:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 11404225 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AC7C713A4 for ; Tue, 25 Feb 2020 16:21:13 +0000 (UTC) Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8A5692084E for ; Tue, 25 Feb 2020 16:21:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="WiVZot7Y" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A5692084E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-nvdimm-bounces@lists.01.org Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 5B9D710FC35B7; Tue, 25 Feb 2020 08:22:05 -0800 (PST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=156.151.31.86; helo=userp2130.oracle.com; envelope-from=dan.carpenter@oracle.com; receiver= Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 19B1910FC3415 for ; Tue, 25 Feb 2020 08:22:03 -0800 (PST) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 01PGDL08192459; Tue, 25 Feb 2020 16:21:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2020-01-29; bh=D3SVf2iPhEZqCyFdhbv/UEWgb6Y7/GGiH1GAJDJvhO8=; b=WiVZot7YuvgGXIsLk+Xi9N6ufdMbjfhI83GU8D+fi7M2sEagxIHhLeRUpfN308YdpTgm sx50nU7+w4pjWe8+YIZlbLsVDbdXBKo+USS3YEMVaVKl4o3TsnQ5WgKvEYJW1CHSi/Nc a/Pf4VAc4Q2HsafjY/Vow0WRsBjMSnmqYLo9tHHAfogjpe7EAlpFRLexlnB1oY+E2pIr oYYwKWQn3EPWy6VVp0WftmxUUjIslIM+i7ac+3sMUBsRueQtTs2NNkXyiT43ns0SRsWy fF2SYBbxcq/oa5FXOwo5rKb5Crfipl8tx8Xj9sw4G+Wu//+tI2DOnCyb6uUQgF2UV25i kA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2yd0njjgx0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 Feb 2020 16:21:08 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 01PGECoq034279; Tue, 25 Feb 2020 16:21:08 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3020.oracle.com with ESMTP id 2yd17q97sn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 Feb 2020 16:21:08 +0000 Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 01PGL6v6007721; Tue, 25 Feb 2020 16:21:07 GMT Received: from kili.mountain (/129.205.23.165) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Feb 2020 08:21:06 -0800 Date: Tue, 25 Feb 2020 19:20:56 +0300 From: Dan Carpenter To: Dan Williams Subject: [PATCH 2/2] libnvdimm: Out of bounds read in __nd_ioctl() Message-ID: <20200225162055.amtosfy7m35aivxg@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200225161927.hvftuq7kjn547fyj@kili.mountain> X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9542 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 mlxlogscore=864 malwarescore=0 adultscore=0 phishscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2002250124 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9542 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 adultscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 mlxlogscore=925 suspectscore=0 bulkscore=0 spamscore=0 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2002250124 Message-ID-Hash: E7I4I6FKCQGA3YB4PHZO2G6RLDYAAS73 X-Message-ID-Hash: E7I4I6FKCQGA3YB4PHZO2G6RLDYAAS73 X-MailFrom: dan.carpenter@oracle.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation CC: linux-nvdimm@lists.01.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org X-Mailman-Version: 3.1.1 Precedence: list List-Id: "Linux-nvdimm developer list." Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: The "cmd" comes from the user and it can be up to 255. It it's more than the number of bits in long, it results out of bounds read when we check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is ND_CMD_CALL (10) so I added a compare against that. Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") Signed-off-by: Dan Carpenter --- drivers/nvdimm/bus.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index a8b515968569..09087c38fabd 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -1042,8 +1042,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, return -EFAULT; } - if (!desc || (desc->out_num + desc->in_num == 0) || - !test_bit(cmd, &cmd_mask)) + if (!desc || + (desc->out_num + desc->in_num == 0) || + cmd > ND_CMD_CALL || + !test_bit(cmd, &cmd_mask)) return -ENOTTY; /* fail write commands (when read-only) */