| Message ID | 1422477048-4550-1-git-send-email-sasha.levin@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
ping? On 01/28/2015 03:30 PM, Sasha Levin wrote: > We used to read file_handle twice. Once to get the amount of extra bytes, and > once to fetch the entire structure. > > This may be problematic since we do size verifications only after the first > read, so if the number of extra bytes changes in userspace between the first > and second calls, we'll have an incoherent view of file_handle. > > Instead, read the constant size once, and copy that over to the final > structure without having to re-read it again. > > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > --- > Change in v2: > - Use the f_handle pointer rather than size of struct > > fs/fhandle.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/fhandle.c b/fs/fhandle.c > index 999ff5c..d59712d 100644 > --- a/fs/fhandle.c > +++ b/fs/fhandle.c > @@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, > goto out_err; > } > /* copy the full handle */ > - if (copy_from_user(handle, ufh, > - sizeof(struct file_handle) + > + *handle = f_handle; > + if (copy_from_user(&handle->f_handle, > + &ufh->f_handle, > f_handle.handle_bytes)) { > retval = -EFAULT; > goto out_handle; > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi, This commit fixes a race condition an unprivileged user can exploit to corrupt kernel memory. I can't seem to get anyone to grab it for the past 4+ months. Help please? Thanks, Sasha On 04/30/2015 11:04 AM, Sasha Levin wrote: > ping? > > On 01/28/2015 03:30 PM, Sasha Levin wrote: >> We used to read file_handle twice. Once to get the amount of extra bytes, and >> once to fetch the entire structure. >> >> This may be problematic since we do size verifications only after the first >> read, so if the number of extra bytes changes in userspace between the first >> and second calls, we'll have an incoherent view of file_handle. >> >> Instead, read the constant size once, and copy that over to the final >> structure without having to re-read it again. >> >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> >> --- >> Change in v2: >> - Use the f_handle pointer rather than size of struct >> >> fs/fhandle.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/fs/fhandle.c b/fs/fhandle.c >> index 999ff5c..d59712d 100644 >> --- a/fs/fhandle.c >> +++ b/fs/fhandle.c >> @@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, >> goto out_err; >> } >> /* copy the full handle */ >> - if (copy_from_user(handle, ufh, >> - sizeof(struct file_handle) + >> + *handle = f_handle; >> + if (copy_from_user(&handle->f_handle, >> + &ufh->f_handle, >> f_handle.handle_bytes)) { >> retval = -EFAULT; >> goto out_handle; >> > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jun 2, 2015 at 8:23 AM, Sasha Levin <sasha.levin@oracle.com> wrote: > > This commit fixes a race condition an unprivileged user can exploit to corrupt > kernel memory. I can't seem to get anyone to grab it for the past 4+ months. Will take it directly. Feel free to just cc me directly earlier if things take this long. Thanks, Linus -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/fhandle.c b/fs/fhandle.c index 999ff5c..d59712d 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, goto out_err; } /* copy the full handle */ - if (copy_from_user(handle, ufh, - sizeof(struct file_handle) + + *handle = f_handle; + if (copy_from_user(&handle->f_handle, + &ufh->f_handle, f_handle.handle_bytes)) { retval = -EFAULT; goto out_handle;
We used to read file_handle twice. Once to get the amount of extra bytes, and once to fetch the entire structure. This may be problematic since we do size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. Instead, read the constant size once, and copy that over to the final structure without having to re-read it again. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> --- Change in v2: - Use the f_handle pointer rather than size of struct fs/fhandle.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)