* [SRU Hirsute/Impish] vfs: check fd has read access in kernel_read_file_from_fd()
[not found] <20211116194217.481966-1-cascardo@canonical.com>
@ 2021-11-16 19:42 ` Thadeu Lima de Souza Cascardo
2021-11-16 19:42 ` [SRU Focal/Bionic] " Thadeu Lima de Souza Cascardo
1 sibling, 0 replies; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2021-11-16 19:42 UTC (permalink / raw)
To: kernel-team
Cc: Matthew Wilcox (Oracle),
Hao Sun, Kees Cook, Christian Brauner, Al Viro, Mimi Zohar,
stable, Andrew Morton, Linus Torvalds,
Thadeu Lima de Souza Cascardo
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
BugLink: https://bugs.launchpad.net/bugs/1950644
If we open a file without read access and then pass the fd to a syscall
whose implementation calls kernel_read_file_from_fd(), we get a warning
from __kernel_read():
if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
This currently affects both finit_module() and kexec_file_load(), but it
could affect other syscalls in the future.
Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Hao Sun <sunhao.th@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 032146cda85566abcd1c4884d9d23e4e30a07e9a)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
fs/kernel_read_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c
index 90d255fbdd9b..c84d87f558cb 100644
--- a/fs/kernel_read_file.c
+++ b/fs/kernel_read_file.c
@@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf,
struct fd f = fdget(fd);
int ret = -EBADF;
- if (!f.file)
+ if (!f.file || !(f.file->f_mode & FMODE_READ))
goto out;
ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id);
--
2.32.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [SRU Focal/Bionic] vfs: check fd has read access in kernel_read_file_from_fd()
[not found] <20211116194217.481966-1-cascardo@canonical.com>
2021-11-16 19:42 ` [SRU Hirsute/Impish] vfs: check fd has read access in kernel_read_file_from_fd() Thadeu Lima de Souza Cascardo
@ 2021-11-16 19:42 ` Thadeu Lima de Souza Cascardo
1 sibling, 0 replies; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2021-11-16 19:42 UTC (permalink / raw)
To: kernel-team
Cc: Matthew Wilcox (Oracle),
Hao Sun, Kees Cook, Christian Brauner, Al Viro, Mimi Zohar,
stable, Andrew Morton, Linus Torvalds, Greg Kroah-Hartman,
Thadeu Lima de Souza Cascardo
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
BugLink: https://bugs.launchpad.net/bugs/1950644
commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream.
If we open a file without read access and then pass the fd to a syscall
whose implementation calls kernel_read_file_from_fd(), we get a warning
from __kernel_read():
if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
This currently affects both finit_module() and kexec_file_load(), but it
could affect other syscalls in the future.
Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Hao Sun <sunhao.th@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0f218ba4c8aac7041cd8b81a5a893b0d121e6316 linux-5.4.y)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
fs/exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exec.c b/fs/exec.c
index eeba096e8a38..006f7fb40b96 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1000,7 +1000,7 @@ int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size,
struct fd f = fdget(fd);
int ret = -EBADF;
- if (!f.file)
+ if (!f.file || !(f.file->f_mode & FMODE_READ))
goto out;
ret = kernel_read_file(f.file, buf, size, max_size, id);
--
2.32.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-16 19:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20211116194217.481966-1-cascardo@canonical.com>
2021-11-16 19:42 ` [SRU Hirsute/Impish] vfs: check fd has read access in kernel_read_file_from_fd() Thadeu Lima de Souza Cascardo
2021-11-16 19:42 ` [SRU Focal/Bionic] " Thadeu Lima de Souza Cascardo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.