• Wenwen Wang's avatar
    yam: fix a missing-check bug · 0781168e
    Wenwen Wang authored
    In yam_ioctl(), the concrete ioctl command is firstly copied from the
    user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
    following switch statement. If the command is not as expected, an error
    code EINVAL is returned. In the following execution the buffer
    'ifr->ifr_data' is copied again in the cases of the switch statement to
    specific data structures according to what kind of ioctl command is
    requested. However, after the second copy, no re-check is enforced on the
    newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
    space, a malicious user can race to change the command between the two
    copies. This way, the attacker can inject inconsistent data and cause
    undefined behavior.
    
    This patch adds a re-check in each case of the switch statement if there is
    a second copy in that case, to re-check whether the command obtained in the
    second copy is the same as the one in the first copy. If not, an error code
    EINVAL will be returned.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    0781168e
yam.c 31.9 KB