From: Jann Horn <jannh@google.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: axboe@kernel.dk, dgilbert@interlog.com,
Al Viro <viro@zeniv.linux.org.uk>,
fujita.tomonori@lab.ntt.co.jp, jejb@linux.vnet.ibm.com,
martin.petersen@oracle.com, linux-block@vger.kernel.org,
linux-scsi@vger.kernel.org,
kernel list <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
security@kernel.org
Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release
Date: Thu, 21 Jun 2018 14:51:16 +0200 [thread overview]
Message-ID: <CAG48ez3BWeZkW5XG814K4o7p0KWXVm9Gpzh2rTthNei=4fhH-A@mail.gmail.com> (raw)
In-Reply-To: <20180621123431.GA558@infradead.org>
On Thu, Jun 21, 2018 at 2:34 PM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Mon, Jun 18, 2018 at 09:37:01AM -0600, Jens Axboe wrote:
> > It was born with that mode, but I don't think anyone ever really used it.
> > So it might feasible to simply yank it. That said, just doing a prune
> > mode at ->release() time doesn't seem like such a hard task.
>
> Let's try to kill it. It is a significant amount of code, which does
> fishy things and is probably entirely unused:
>
> ---
> From baec733be1b400d73d0fa2bfc07684598c4172e7 Mon Sep 17 00:00:00 2001
> From: Christoph Hellwig <hch@lst.de>
> Date: Thu, 21 Jun 2018 14:31:32 +0200
> Subject: bsg: remove read/write support
>
> The code poses a security risk due to user memory access in ->release
> and had an API that can't be used reliably. As far as we know it was
> never used for real, but if that turns out wrong we'll have to revert
> this commit and come up with a band aid.
FWIW, I just had a look through Debian's codesearch (which AFAIK scans
through the source code of all software that Debian packages) for uses
of struct sg_io_v4: https://codesearch.debian.net/search?q=sg_io_v4
Hits that seem to be using read() or write() with struct sg_io_v4 on
bsg devices:
In the package https://packages.debian.org/stretch/tgt:
https://sources.debian.org/src/tgt/1:1.0.73-1/usr/bs_sg.c/?hl=131#L131
https://sources.debian.org/src/tgt/1:1.0.73-1/usr/bs_sg.c/?hl=236#L236
In the package https://packages.debian.org/stretch/sg3-utils:
https://sources.debian.org/src/sg3-utils/1.42-2/examples/bsg_queue_tst.c/?hl=60#L60
next prev parent reply other threads:[~2018-06-21 12:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:23 [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release Jann Horn
2018-06-15 16:40 ` Al Viro
2018-06-15 16:44 ` Jann Horn
2018-06-15 16:53 ` Al Viro
2018-06-15 17:10 ` Al Viro
2018-06-15 17:13 ` Jann Horn
2018-06-15 20:47 ` Douglas Gilbert
2018-06-18 15:26 ` Benjamin Block
2018-06-18 15:26 ` Benjamin Block
2018-06-18 15:37 ` Jens Axboe
2018-06-18 16:16 ` Al Viro
2018-06-18 16:23 ` Jens Axboe
2018-06-21 12:34 ` Christoph Hellwig
2018-06-21 12:34 ` Christoph Hellwig
2018-06-21 12:51 ` Jann Horn [this message]
2018-06-21 13:03 ` Christoph Hellwig
2018-06-21 14:07 ` Jens Axboe
2018-07-08 14:58 ` Christoph Hellwig
2018-07-10 20:53 ` Jann Horn
2018-07-11 6:33 ` Christoph Hellwig
2018-06-15 16:49 ` Al Viro
2018-06-15 16:58 ` Jann Horn
2018-06-15 17:02 ` Jann Horn
2018-06-21 12:40 ` Christoph Hellwig
2018-06-21 12:54 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez3BWeZkW5XG814K4o7p0KWXVm9Gpzh2rTthNei=4fhH-A@mail.gmail.com' \
--to=jannh@google.com \
--cc=axboe@kernel.dk \
--cc=dgilbert@interlog.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=hch@infradead.org \
--cc=jejb@linux.vnet.ibm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=security@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.