[Ocfs2-devel] [PATCH 2/2] Ocfs2: Implement new OCFS2_IOC_INFO ioctl for ocfs2.
Andi Kleen
andi at firstfloor.org
Fri Nov 27 12:23:36 PST 2009
Tristan Ye <tristan.ye at oracle.com> writes:
> +
> + /*
> + * The requests series from userspace need to be NULL-terminated.
> + */
> + do {
> + preq = *((POIR *)((char *)arg + i * sizeof(POIR)));
> + if (!preq)
> + break;
> + i++;
That's the first security leak. Can be used to probe arbitary memory.
You always need to use *_user for any user space access.
> +
> + } while (preq);
> +
> + num_reqs = i;
> +
> + reqs = kmalloc(sizeof(POIR) * num_reqs, GFP_KERNEL);
This is next root exploit. Think what happens when the user passes a very
large number for num_reqs that overflows the multiplication.
If anything use kcalloc(). And limit the maximum size.
It's unclear why you just can't use separate ioctls for each request.
-Andi
--
ak at linux.intel.com -- Speaking for myself only.
More information about the Ocfs2-devel
mailing list