[CHECKER] possible missing capability check in ioctl function, drivers/net/cris/eth_v10.c, kernel 2.6.11

Hello,

I'm a researcher in the Stanford Metacompilation group. I amcollaborating with Bryan Fulton at Coverity on using static analysis tofind capability related security errors. We're currently looking intocreating a checker using statistical analysis to detect improper ormissing capability checks in the Linux kernel.

Here's an example of what we think might be a bug (kernel version2.6.11):

In several network drivers that handle the ioctl command SIOCSMIIREG(writes a register on the network card) most implementations check forthe CAP_NET_ADMIN capability. Several drivers use the function"generic_mii_ioctl" to process this command (defined indrivers/net/mii.c). In mii.c, we see:


line 291
	case SIOCSMIIREG: {
		u16 val = mii_data->val_in;

		if (!capable(CAP_NET_ADMIN))
			return -EPERM;

		if (mii_data->phy_id == mii_if->phy_id) {
			switch(mii_data->reg_num) {
			case MII_BMCR: {
...

Here the capability check is clearly executed before any state ismodified.

In drivers/net/cris/eth_v10.c, the capability check is elided ine100_ioctl:


static int
e100_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
{
	struct mii_ioctl_data *data = if_mii(ifr);
	struct net_local *np = netdev_priv(dev);

	spin_lock(&np->lock); /* Preempt protection */
	switch (cmd) {
		case SIOCETHTOOL:
			return e100_ethtool_ioctl(dev,ifr);
		case SIOCGMIIPHY: /* Get PHY address */
			data->phy_id = mdio_phy_addr;
			break;
		case SIOCGMIIREG: /* Read MII register */
			data->val_out = e100_get_mdio_reg(dev, mdio_phy_addr, data->reg_num);
			break;

case SIOCSMIIREG: /* Write MII register */ <===== MISSINGCAPABILITY CHECK

			e100_set_mdio_reg(dev, mdio_phy_addr, data->reg_num, data->val_in);
			break;
...

Does this seem valid? Currently we are looking primarily into theioctls in drivers/net, but we would like to extend this to other partsof the kernel. Our understanding of what code should be protected bywhat capabilities is limited, so any feedback on this would bewonderful.


Thanks,
Ted Kremenek and Bryan Fulton

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [CHECKER] possible missing capability check in ioctl function, drivers/net/cris/eth_v10.c, kernel 2.6.11
  - From: Chris Wright <[email protected]>
- Re: [CHECKER] possible missing capability check in ioctl function, drivers/net/cris/eth_v10.c, kernel 2.6.11
  - From: Mitchell Blank Jr <[email protected]>

Prev by Date: [RFC][x86_64] Introducing the memmap= kernel command line option
Next by Date: Re: [Bug] invalid mac address after rebooting (2.6.12-rc2-mm2)
Previous by thread: [RFC][x86_64] Introducing the memmap= kernel command line option
Next by thread: Re: [CHECKER] possible missing capability check in ioctl function, drivers/net/cris/eth_v10.c, kernel 2.6.11
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]