[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] FW: An out-of-bound read/write in fsi driver
From:       "Luo Likang" <luolikang () nsfocus ! com>
Date:       2021-06-25 2:57:09
Message-ID: 001f01d7696d$ca7f4890$5f7dd9b0$ () nsfocus ! com
[Download RAW message or body]


 

Because of my mistake, I took a normal bug as a security bug and reported it
to linux-distros£¬linux-distros requested me notify oss-security since these
bugs were deemed to not be a security vulnerability, and no embargo was set.


 

Because of copy_ from_user has some check, so - 1 does not cause
cross-border access, and lots of check in fsi_check_access().

 

The following is the original of my report:

 

I found an oob read/write bug in function cfam_read/cfam_write of
drivers/fsi/fsi-core.c

It lack of the check of count and offset.

 

```

/* Create chardev for userspace access */

       cdev_init(&slave->cdev, &cfam_fops);

- - - -  - - - - - - - - - - - -- - - - - - - - - - - 

static const struct file_operations cfam_fops = {

       .owner           = THIS_MODULE,

       .open             = cfam_open,

       .llseek            = cfam_llseek,

       .read       = cfam_read,

       .write             = cfam_write,

};

```

In userspace, we can open this chardev can invoke read to use cfam_read.

 

cfam_read

```

static ssize_t cfam_read(struct file *filep, char __user *buf, size_t count,

                     loff_t *offset)

{

       struct fsi_slave *slave = filep->private_data;

       size_t total_len, read_len;

       loff_t off = *offset;

       ssize_t rc;

 

       if (off < 0)

              return -EINVAL;

 

       if (off > 0xffffffff || count > 0xffffffff || off + count >
0xffffffff)//[0]

              return -EINVAL;

 

       for (total_len = 0; total_len < count; total_len += read_len) {

              __be32 data;

 

              read_len = min_t(size_t, count, 4); //[1]

              read_len -= off & 0x3;          //[2]

 

              rc = fsi_slave_read(slave, off, &data, read_len);//[3]

              if (rc)

                     goto fail;

              rc = copy_to_user(buf + total_len, &data, read_len);//[4]

              ¡­¡­¡­

       }

       ¡­¡­..

       return count;

}

```

In [0]: This line will check the parameters to prevent integer overflow, but
it did not compare the size of count and offset, wo can pass count=2,
offset=3 to this function.

In [1]: read_len will be assigned a value of 2

In [2]: read_len-=offset&3  => read_len-=3 => read_len=-1.

In[3]/[4]: will OOB access

 

Cfam_write :

The reason for the vulnerability of cfam_write is the same as cfam_read.



[prev in list] [next in list] [prev in thread] [next in thread]