1. 25 Sep, 2020 2 commits
    • Arnd Bergmann's avatar
      staging: vchiq: avoid mixing kernel and user pointers · 1c954540
      Arnd Bergmann authored
      As found earlier, there is a problem in the create_pagelist() function
      that takes a pointer argument that either points into vmalloc space or
      into user space, with the pointer value controlled by user space allowing
      a malicious user to trick the driver into accessing the kernel instead.
      
      Avoid this problem by adding another function argument and passing
      kernel pointers separately from user pointers. This makes it possible
      to rely on sparse to point out invalid conversions, and it prevents
      user space from faking a kernel pointer.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20200925114424.2647144-2-arnd@arndb.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c954540
    • Arnd Bergmann's avatar
      staging: vchiq: fix __user annotations · 4184da4f
      Arnd Bergmann authored
      My earlier patches caused some new sparse warnings, but it turns out
      that a number of those are actual bugs, or at least suspicous code.
      
      Adding __user annotations to the data structures that are defined in
      uapi headers helps avoid the new warnings, but that causes a different
      set of warnings to show up, as some of these structures are used both
      inside of the kernel and at the user interface but storing pointers to
      different things there.
      
      Duplicating the vchiq_service_params and vchiq_completion_data structures
      in turn takes care of most of those, and then it turns out that there
      is a 'data' pointer that can be any of a __user address, a dmd_addr_t
      and a kernel pointer in vmalloc space at times.
      
      I'm trying to annotate these as best I can without changing behavior,
      but there still seems to be a serious bug when user space passes
      a valid vmalloc space address instead of a user pointer. Adding
      comments in the code there, and leaving the warnings in place that
      seem to correspond to actual bugs.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20200925114424.2647144-1-arnd@arndb.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4184da4f
  2. 22 Sep, 2020 17 commits
  3. 21 Sep, 2020 21 commits