| Message ID | 200905251317.02633.laurent.pinchart@skynet.be (mailing list archive) |
|---|---|
| State | RFC, archived |
| Headers |
Return-path: <linux-media-owner@vger.kernel.org> Envelope-to: mchehab@infradead.org Delivery-date: Mon, 25 May 2009 11:12:49 +0000 Received: from bombadil.infradead.org [18.85.46.34] by pedra.chehab.org with IMAP (fetchmail-6.3.6) for <mchehab@localhost> (single-drop); Mon, 25 May 2009 10:46:02 -0300 (BRT) Received: from vger.kernel.org ([209.132.176.167]) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1M8Y6q-0005SZ-Vq; Mon, 25 May 2009 11:12:49 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751221AbZEYLMo (ORCPT <rfc822; kmpark@infradead.org> + 1 other); Mon, 25 May 2009 07:12:44 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751248AbZEYLMo (ORCPT <rfc822;linux-media-outgoing>); Mon, 25 May 2009 07:12:44 -0400 Received: from perceval.irobotique.be ([92.243.18.41]:55750 "EHLO perceval.irobotique.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751221AbZEYLMo convert rfc822-to-8bit (ORCPT <rfc822;linux-media@vger.kernel.org>); Mon, 25 May 2009 07:12:44 -0400 Received: from ravenclaw.localnet (249.248-240-81.adsl-static.isp.belgacom.be [81.240.248.249]) by perceval.irobotique.be (Postfix) with ESMTPSA id A5CC335B28; Mon, 25 May 2009 11:12:44 +0000 (UTC) From: Laurent Pinchart <laurent.pinchart@skynet.be> To: linux-media@vger.kernel.org Subject: [RFC, PATCH] VIDIOC_G_EXT_CTRLS does not handle NULL pointer correctly Date: Mon, 25 May 2009 13:17:02 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.28; KDE/4.2.3; x86_64; ; ) Cc: nm127@freemail.hu MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT Content-Disposition: inline Message-Id: <200905251317.02633.laurent.pinchart@skynet.be> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org |
Commit Message
Laurent Pinchart
May 25, 2009, 11:17 a.m. UTC
Hi everybody, Márton Németh found an integer overflow bug in the extended control ioctl handling code. This affects both video_usercopy and video_ioctl2. See http://bugzilla.kernel.org/show_bug.cgi?id=13357 for a detailed description of the problem. v4l2_ext_controls::count is not checked explicitly by video_usercopy/video_ioctl2. Instead the code tries to allocate v4l2_ext_controls::count * sizeof(struct v4l2_ext_control) to copy v4l2_ext_controls::controls from userspace to kernelspace, and return an error if the memory can't be allocated or if the user pointer is invalid. The v4l2_ext_controls::count * sizeof(struct v4l2_ext_control) value is stored in a 32 bits integer, resulting in an overflow if v4l2_ext_controls::count is too high. If the result is smaller than the maximum kmalloc'able size, the ioctl call will make it to the device driver, which will likely crash. The following patch (copied from bugzilla) fixes the problem. Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / sizeof(struct v4l2_ext_control) should be enough, but we might want to restrict the value even further. I'd like opinions on this. Best regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
Em Mon, 25 May 2009 13:17:02 +0200 Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: > Hi everybody, > > Márton Németh found an integer overflow bug in the extended control ioctl > handling code. This affects both video_usercopy and video_ioctl2. See > http://bugzilla.kernel.org/show_bug.cgi?id=13357 for a detailed description of > the problem. > > Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / > sizeof(struct v4l2_ext_control) should be enough, but we might want to > restrict the value even further. I'd like opinions on this. Seems fine to my eyes, but being so close to kmalloc size doesn't seem to be a good idea. It seems better to choose an arbitrary size big enough to handle all current needs. Cheers, Mauro -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 25 May 2009, Laurent Pinchart wrote: > diff -r e0d881b21bc9 linux/drivers/media/video/v4l2-ioctl.c > --- a/linux/drivers/media/video/v4l2-ioctl.c Tue May 19 15:12:17 2009 +0200 > +++ b/linux/drivers/media/video/v4l2-ioctl.c Sun May 24 18:26:29 2009 +0200 > @@ -402,6 +402,10 @@ > a specific control that caused it. */ > p->error_idx = p->count; > user_ptr = (void __user *)p->controls; > + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { > + err = -ENOMEM; > + goto out_ext_ctrl; > + } > if (p->count) { > ctrls_size = sizeof(struct v4l2_ext_control) * p->count; > /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ > @@ -1859,6 +1863,10 @@ > a specific control that caused it. */ > p->error_idx = p->count; > user_ptr = (void __user *)p->controls; > + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { > + err = -ENOMEM; > + goto out_ext_ctrl; > + } > if (p->count) { > ctrls_size = sizeof(struct v4l2_ext_control) * p->count; > /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ > > Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / > sizeof(struct v4l2_ext_control) should be enough, but we might want to > restrict the value even further. I'd like opinions on this. One thing that could be done is to call access_ok() on the range before kmalloc'ing a buffer. If p->count is too high, then it's possible that the copy_from_user will fail because the process does not have the address space to copy. -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Monday 25 May 2009 21:22:06 Trent Piepho wrote: > On Mon, 25 May 2009, Laurent Pinchart wrote: > > diff -r e0d881b21bc9 linux/drivers/media/video/v4l2-ioctl.c > > --- a/linux/drivers/media/video/v4l2-ioctl.c Tue May 19 15:12:17 2009 > > +0200 +++ b/linux/drivers/media/video/v4l2-ioctl.c Sun May 24 18:26:29 > > 2009 +0200 @@ -402,6 +402,10 @@ > > a specific control that caused it. */ > > p->error_idx = p->count; > > user_ptr = (void __user *)p->controls; > > + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { > > + err = -ENOMEM; > > + goto out_ext_ctrl; > > + } > > if (p->count) { > > ctrls_size = sizeof(struct v4l2_ext_control) * p->count; > > /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ > > @@ -1859,6 +1863,10 @@ > > a specific control that caused it. */ > > p->error_idx = p->count; > > user_ptr = (void __user *)p->controls; > > + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { > > + err = -ENOMEM; > > + goto out_ext_ctrl; > > + } > > if (p->count) { > > ctrls_size = sizeof(struct v4l2_ext_control) * p->count; > > /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ > > > > Restricting v4l2_ext_controls::count to values smaller than > > KMALLOC_MAX_SIZE / sizeof(struct v4l2_ext_control) should be enough, but > > we might want to restrict the value even further. I'd like opinions on > > this. > > One thing that could be done is to call access_ok() on the range before > kmalloc'ing a buffer. If p->count is too high, then it's possible that the > copy_from_user will fail because the process does not have the address > space to copy. arch/x86/include/asm/uaccess.h, about access_ok(): * Note that, depending on architecture, this function probably just * checks that the pointer is in the user space range - after calling * this function, memory access functions may still return -EFAULT. I don't think it's worth it. Let's just kmalloc (or kzalloc) and copy_from_user. If one of them fails we'll return an error. Could a very large number of control requests be used as a DoS attack vector ? A userspace application could kmalloc large amounts of memory without any restriction. Memory would be reclaimed eventually, but after performing a large number of USB requests, which could take quite a long time. Best regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Laurent Pinchart worte: > Could a very large number of control requests be used as a DoS attack vector ? > A userspace application could kmalloc large amounts of memory without any > restriction. Memory would be reclaimed eventually, but after performing a > large number of USB requests, which could take quite a long time. A DoS attacker could open the /dev/video0 several times even from one single process (from different threads) and could kmalloc() as much memory as the attacker wants. Maybe even one file descriptor would be enough using it from different threads. This could force the system to swap out pages to get the necessary memory. I don't know if more than one instance of the VIDIOC_G_EXT_CTRLS requests can actively keep memory allocated or only one can run at a time forcing the other requests to sleep until the previous one hadn't been finished. This is also true for VIDIOC_S_EXT_CTRLS and VIDIOC_TRY_EXT_CTRLS. Regards, Márton Németh -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Em Mon, 25 May 2009 11:16:34 -0300 Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > Em Mon, 25 May 2009 13:17:02 +0200 > Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: > > > Hi everybody, > > > > Márton Németh found an integer overflow bug in the extended control ioctl > > handling code. This affects both video_usercopy and video_ioctl2. See > > http://bugzilla.kernel.org/show_bug.cgi?id=13357 for a detailed description of > > the problem. > > > > > Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / > > sizeof(struct v4l2_ext_control) should be enough, but we might want to > > restrict the value even further. I'd like opinions on this. > > Seems fine to my eyes, but being so close to kmalloc size doesn't seem to be a > good idea. It seems better to choose an arbitrary size big enough to handle all current needs. I'll apply the current version, but I still think we should restrict it to a lower value. Cheers, Mauro -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Em Wed, 10 Jun 2009 10:52:28 -0300 Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > Em Mon, 25 May 2009 11:16:34 -0300 > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > > > Em Mon, 25 May 2009 13:17:02 +0200 > > Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: > > > > > Hi everybody, > > > > > > Márton Németh found an integer overflow bug in the extended control ioctl > > > handling code. This affects both video_usercopy and video_ioctl2. See > > > http://bugzilla.kernel.org/show_bug.cgi?id=13357 for a detailed description of > > > the problem. > > > > > > > > Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / > > > sizeof(struct v4l2_ext_control) should be enough, but we might want to > > > restrict the value even further. I'd like opinions on this. > > > > Seems fine to my eyes, but being so close to kmalloc size doesn't seem to be a > > good idea. It seems better to choose an arbitrary size big enough to handle all current needs. > > I'll apply the current version, but I still think we should restrict it to a lower value. Hmm... SOB is missing. Márton and Laurent, could you please sign it Cheers, Mauro -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Mauro Carvalho Chehab wrote: > Em Wed, 10 Jun 2009 10:52:28 -0300 > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > >> Em Mon, 25 May 2009 11:16:34 -0300 >> Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: >> >>> Em Mon, 25 May 2009 13:17:02 +0200 >>> Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: >>> >>>> Hi everybody, >>>> >>>> Márton Németh found an integer overflow bug in the extended control ioctl >>>> handling code. This affects both video_usercopy and video_ioctl2. See >>>> http://bugzilla.kernel.org/show_bug.cgi?id=13357 for a detailed description of >>>> the problem. >>>> >>>> Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE / >>>> sizeof(struct v4l2_ext_control) should be enough, but we might want to >>>> restrict the value even further. I'd like opinions on this. >>> Seems fine to my eyes, but being so close to kmalloc size doesn't seem to be a >>> good idea. It seems better to choose an arbitrary size big enough to handle all current needs. >> I'll apply the current version, but I still think we should restrict it to a lower value. > > > Hmm... SOB is missing. Márton and Laurent, could you please sign it As I wrote at http://bugzilla.kernel.org/show_bug.cgi?id=13357#c6 : Tested-by: Márton Németh <nm127@freemail.hu> Regards, Márton Németh -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 10 June 2009 15:53:57 Mauro Carvalho Chehab wrote: > Em Wed, 10 Jun 2009 10:52:28 -0300 > > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > > Em Mon, 25 May 2009 11:16:34 -0300 > > > > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > > > Em Mon, 25 May 2009 13:17:02 +0200 > > > > > > Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: > > > > Hi everybody, > > > > > > > > Márton Németh found an integer overflow bug in the extended control > > > > ioctl handling code. This affects both video_usercopy and > > > > video_ioctl2. See http://bugzilla.kernel.org/show_bug.cgi?id=13357 > > > > for a detailed description of the problem. > > > > > > > > > > > > Restricting v4l2_ext_controls::count to values smaller than > > > > KMALLOC_MAX_SIZE / sizeof(struct v4l2_ext_control) should be enough, > > > > but we might want to restrict the value even further. I'd like > > > > opinions on this. > > > > > > Seems fine to my eyes, but being so close to kmalloc size doesn't seem > > > to be a good idea. It seems better to choose an arbitrary size big > > > enough to handle all current needs. > > > > I'll apply the current version, but I still think we should restrict it > > to a lower value. > > Hmm... SOB is missing. Márton and Laurent, could you please sign it Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be> Cheers, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Mauro, On Wednesday 10 June 2009 23:58:31 Laurent Pinchart wrote: > On Wednesday 10 June 2009 15:53:57 Mauro Carvalho Chehab wrote: > > Em Wed, 10 Jun 2009 10:52:28 -0300 > > > > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > > > Em Mon, 25 May 2009 11:16:34 -0300 > > > > > > Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: > > > > Em Mon, 25 May 2009 13:17:02 +0200 > > > > > > > > Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: > > > > > Hi everybody, > > > > > > > > > > Márton Németh found an integer overflow bug in the extended control > > > > > ioctl handling code. This affects both video_usercopy and > > > > > video_ioctl2. See http://bugzilla.kernel.org/show_bug.cgi?id=13357 > > > > > for a detailed description of the problem. > > > > > > > > > > > > > > > Restricting v4l2_ext_controls::count to values smaller than > > > > > KMALLOC_MAX_SIZE / sizeof(struct v4l2_ext_control) should be > > > > > enough, but we might want to restrict the value even further. I'd > > > > > like opinions on this. > > > > > > > > Seems fine to my eyes, but being so close to kmalloc size doesn't > > > > seem to be a good idea. It seems better to choose an arbitrary size > > > > big enough to handle all current needs. > > > > > > I'll apply the current version, but I still think we should restrict it > > > to a lower value. > > > > Hmm... SOB is missing. Márton and Laurent, could you please sign it > > Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be> Márton reminded me that the patch has still not been applied. Please replace the above SOB line with Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Laurent Pinchart wrote: > Hi Mauro, > > On Wednesday 10 June 2009 23:58:31 Laurent Pinchart wrote: >> On Wednesday 10 June 2009 15:53:57 Mauro Carvalho Chehab wrote: >>> Em Wed, 10 Jun 2009 10:52:28 -0300 >>> >>> Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: >>>> Em Mon, 25 May 2009 11:16:34 -0300 >>>> >>>> Mauro Carvalho Chehab <mchehab@infradead.org> escreveu: >>>>> Em Mon, 25 May 2009 13:17:02 +0200 >>>>> >>>>> Laurent Pinchart <laurent.pinchart@skynet.be> escreveu: >>>>>> Hi everybody, >>>>>> >>>>>> Márton Németh found an integer overflow bug in the extended control >>>>>> ioctl handling code. This affects both video_usercopy and >>>>>> video_ioctl2. See http://bugzilla.kernel.org/show_bug.cgi?id=13357 >>>>>> for a detailed description of the problem. >>>>>> >>>>>> >>>>>> Restricting v4l2_ext_controls::count to values smaller than >>>>>> KMALLOC_MAX_SIZE / sizeof(struct v4l2_ext_control) should be >>>>>> enough, but we might want to restrict the value even further. I'd >>>>>> like opinions on this. >>>>> Seems fine to my eyes, but being so close to kmalloc size doesn't >>>>> seem to be a good idea. It seems better to choose an arbitrary size >>>>> big enough to handle all current needs. >>>> I'll apply the current version, but I still think we should restrict it >>>> to a lower value. >>> Hmm... SOB is missing. Márton and Laurent, could you please sign it >> Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be> > > Márton reminded me that the patch has still not been applied. > > Please replace the above SOB line with > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Márton Németh <nm127@freemail.hu> -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -r e0d881b21bc9 linux/drivers/media/video/v4l2-ioctl.c --- a/linux/drivers/media/video/v4l2-ioctl.c Tue May 19 15:12:17 2009 +0200 +++ b/linux/drivers/media/video/v4l2-ioctl.c Sun May 24 18:26:29 2009 +0200 @@ -402,6 +402,10 @@ a specific control that caused it. */ p->error_idx = p->count; user_ptr = (void __user *)p->controls; + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { + err = -ENOMEM; + goto out_ext_ctrl; + } if (p->count) { ctrls_size = sizeof(struct v4l2_ext_control) * p->count; /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ @@ -1859,6 +1863,10 @@ a specific control that caused it. */ p->error_idx = p->count; user_ptr = (void __user *)p->controls; + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) { + err = -ENOMEM; + goto out_ext_ctrl; + } if (p->count) { ctrls_size = sizeof(struct v4l2_ext_control) * p->count; /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */