You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if (copy_from_user(data, (void__user*)arg, _IOC_SIZE(cmd)))
_IOC_SIZE can return up to _IOC_SIZEMASK bytes (== 8191) and is user-controlled (but currently the switch right before will filter it).
This seems like a ticking bomb to me, it's very easy to accidentally turn it into a buffer overflow when changing this code (e.g. by adding more fields to the input structs or changing the switch statement). Such an overflow would be detected in newest kernels by the hardened copy_from_user, but I think it's still better to change the code and stay on the safe side.
If you think it's worth fixing I can create a pull request.
The text was updated successfully, but these errors were encountered:
When reading the
sgx_ioctlfunction code I noticed that the size of the receiving buffer is hardcoded:linux-sgx-driver/sgx_ioctl.c
Line 259 in 2a509c2
And the input data is copied to the buffer in the following way:
linux-sgx-driver/sgx_ioctl.c
Line 277 in 2a509c2
_IOC_SIZEcan return up to_IOC_SIZEMASKbytes (== 8191) and is user-controlled (but currently the switch right before will filter it).This seems like a ticking bomb to me, it's very easy to accidentally turn it into a buffer overflow when changing this code (e.g. by adding more fields to the input structs or changing the switch statement). Such an overflow would be detected in newest kernels by the hardened
copy_from_user, but I think it's still better to change the code and stay on the safe side.If you think it's worth fixing I can create a pull request.
The text was updated successfully, but these errors were encountered: