* [PATCH v2] xfs: fix kernel memory exposure problems
@ 2017-04-03 17:34 Darrick J. Wong
2017-04-03 17:36 ` [PATCH] xfs: fix over-copying of getbmap parameters from userspace Darrick J. Wong
2017-04-03 19:42 ` [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
0 siblings, 2 replies; 7+ messages in thread
From: Darrick J. Wong @ 2017-04-03 17:34 UTC (permalink / raw)
To: xfs; +Cc: Eric Sandeen, Christoph Hellwig
Fix a memory exposure problems in inumbers where we allocate an array of
structures with holes, fail to zero the holes, then blindly copy the
kernel memory contents (junk and all) into userspace.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
v2: split patches
---
fs/xfs/xfs_itable.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
index 2a6d9b1..26d67ce 100644
--- a/fs/xfs/xfs_itable.c
+++ b/fs/xfs/xfs_itable.c
@@ -583,7 +583,7 @@ xfs_inumbers(
return error;
bcount = MIN(left, (int)(PAGE_SIZE / sizeof(*buffer)));
- buffer = kmem_alloc(bcount * sizeof(*buffer), KM_SLEEP);
+ buffer = kmem_zalloc(bcount * sizeof(*buffer), KM_SLEEP);
do {
struct xfs_inobt_rec_incore r;
int stat;
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] xfs: fix over-copying of getbmap parameters from userspace
2017-04-03 17:34 [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
@ 2017-04-03 17:36 ` Darrick J. Wong
2017-04-03 18:57 ` Christoph Hellwig
2017-04-03 19:42 ` [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
1 sibling, 1 reply; 7+ messages in thread
From: Darrick J. Wong @ 2017-04-03 17:36 UTC (permalink / raw)
To: xfs; +Cc: Eric Sandeen, Christoph Hellwig
In xfs_ioc_getbmap, we should only copy the fields of struct getbmap
from userspace, or else we end up copying random stack contents into the
kernel. struct getbmap is a strict subset of getbmapx, so a partial
structure copy should work fine.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
fs/xfs/xfs_ioctl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 2fd7fdf..e44dde7 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1543,10 +1543,14 @@ xfs_ioc_getbmap(
unsigned int cmd,
void __user *arg)
{
- struct getbmapx bmx;
+ struct getbmapx bmx = { 0 };
int error;
- if (copy_from_user(&bmx, arg, sizeof(struct getbmapx)))
+ /*
+ * struct getbmap is a strict subset of struct getbmapx,
+ * so using a straight memory copy should work fine.
+ */
+ if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags)))
return -EFAULT;
if (bmx.bmv_count < 2)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] xfs: fix over-copying of getbmap parameters from userspace
2017-04-03 17:36 ` [PATCH] xfs: fix over-copying of getbmap parameters from userspace Darrick J. Wong
@ 2017-04-03 18:57 ` Christoph Hellwig
2017-04-03 19:20 ` Darrick J. Wong
0 siblings, 1 reply; 7+ messages in thread
From: Christoph Hellwig @ 2017-04-03 18:57 UTC (permalink / raw)
To: Darrick J. Wong; +Cc: xfs, Eric Sandeen, Christoph Hellwig
> + * so using a straight memory copy should work fine.
I'd skip this half of the comment.
Otherwise looks fine:
Reviewed-by: Christoph Hellwig <hch@lst.de>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] xfs: fix over-copying of getbmap parameters from userspace
2017-04-03 18:57 ` Christoph Hellwig
@ 2017-04-03 19:20 ` Darrick J. Wong
0 siblings, 0 replies; 7+ messages in thread
From: Darrick J. Wong @ 2017-04-03 19:20 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: xfs, Eric Sandeen
On Mon, Apr 03, 2017 at 11:57:02AM -0700, Christoph Hellwig wrote:
> > + * so using a straight memory copy should work fine.
>
> I'd skip this half of the comment.
Will do.
> Otherwise looks fine:
>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] xfs: fix kernel memory exposure problems
2017-04-03 17:34 [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
2017-04-03 17:36 ` [PATCH] xfs: fix over-copying of getbmap parameters from userspace Darrick J. Wong
@ 2017-04-03 19:42 ` Darrick J. Wong
2017-04-03 20:06 ` Eric Sandeen
1 sibling, 1 reply; 7+ messages in thread
From: Darrick J. Wong @ 2017-04-03 19:42 UTC (permalink / raw)
To: xfs; +Cc: Eric Sandeen, Christoph Hellwig
On Mon, Apr 03, 2017 at 10:34:30AM -0700, Darrick J. Wong wrote:
> Fix a memory exposure problems in inumbers where we allocate an array of
> structures with holes, fail to zero the holes, then blindly copy the
> kernel memory contents (junk and all) into userspace.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
BTW, I intend to send this patch (though not the getbmap patch) for 4.11
since kernel memory exposure is usually treated as a security problem.
--D
> ---
> v2: split patches
> ---
> fs/xfs/xfs_itable.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
> index 2a6d9b1..26d67ce 100644
> --- a/fs/xfs/xfs_itable.c
> +++ b/fs/xfs/xfs_itable.c
> @@ -583,7 +583,7 @@ xfs_inumbers(
> return error;
>
> bcount = MIN(left, (int)(PAGE_SIZE / sizeof(*buffer)));
> - buffer = kmem_alloc(bcount * sizeof(*buffer), KM_SLEEP);
> + buffer = kmem_zalloc(bcount * sizeof(*buffer), KM_SLEEP);
> do {
> struct xfs_inobt_rec_incore r;
> int stat;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] xfs: fix kernel memory exposure problems
2017-04-03 19:42 ` [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
@ 2017-04-03 20:06 ` Eric Sandeen
2017-04-04 6:54 ` Christoph Hellwig
0 siblings, 1 reply; 7+ messages in thread
From: Eric Sandeen @ 2017-04-03 20:06 UTC (permalink / raw)
To: Darrick J. Wong, xfs; +Cc: Eric Sandeen, Christoph Hellwig
On 4/3/17 2:42 PM, Darrick J. Wong wrote:
> On Mon, Apr 03, 2017 at 10:34:30AM -0700, Darrick J. Wong wrote:
>> Fix a memory exposure problems in inumbers where we allocate an array of
>> structures with holes, fail to zero the holes, then blindly copy the
>> kernel memory contents (junk and all) into userspace.
>>
>> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
>> Reviewed-by: Christoph Hellwig <hch@lst.de>
>
> BTW, I intend to send this patch (though not the getbmap patch) for 4.11
> since kernel memory exposure is usually treated as a security problem.
I agree with that plan; if this change isn't safe I don't know what
is ...
-Eric
> --D
>
>> ---
>> v2: split patches
>> ---
>> fs/xfs/xfs_itable.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
>> index 2a6d9b1..26d67ce 100644
>> --- a/fs/xfs/xfs_itable.c
>> +++ b/fs/xfs/xfs_itable.c
>> @@ -583,7 +583,7 @@ xfs_inumbers(
>> return error;
>>
>> bcount = MIN(left, (int)(PAGE_SIZE / sizeof(*buffer)));
>> - buffer = kmem_alloc(bcount * sizeof(*buffer), KM_SLEEP);
>> + buffer = kmem_zalloc(bcount * sizeof(*buffer), KM_SLEEP);
>> do {
>> struct xfs_inobt_rec_incore r;
>> int stat;
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] xfs: fix kernel memory exposure problems
2017-04-03 20:06 ` Eric Sandeen
@ 2017-04-04 6:54 ` Christoph Hellwig
0 siblings, 0 replies; 7+ messages in thread
From: Christoph Hellwig @ 2017-04-04 6:54 UTC (permalink / raw)
To: Eric Sandeen; +Cc: Darrick J. Wong, xfs, Eric Sandeen, Christoph Hellwig
On Mon, Apr 03, 2017 at 03:06:42PM -0500, Eric Sandeen wrote:
> On 4/3/17 2:42 PM, Darrick J. Wong wrote:
> > On Mon, Apr 03, 2017 at 10:34:30AM -0700, Darrick J. Wong wrote:
> >> Fix a memory exposure problems in inumbers where we allocate an array of
> >> structures with holes, fail to zero the holes, then blindly copy the
> >> kernel memory contents (junk and all) into userspace.
> >>
> >> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> >> Reviewed-by: Christoph Hellwig <hch@lst.de>
> >
> > BTW, I intend to send this patch (though not the getbmap patch) for 4.11
> > since kernel memory exposure is usually treated as a security problem.
>
> I agree with that plan; if this change isn't safe I don't know what
> is ...
Yes. Please send this for 4.11-rc.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-04-04 6:54 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-03 17:34 [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
2017-04-03 17:36 ` [PATCH] xfs: fix over-copying of getbmap parameters from userspace Darrick J. Wong
2017-04-03 18:57 ` Christoph Hellwig
2017-04-03 19:20 ` Darrick J. Wong
2017-04-03 19:42 ` [PATCH v2] xfs: fix kernel memory exposure problems Darrick J. Wong
2017-04-03 20:06 ` Eric Sandeen
2017-04-04 6:54 ` Christoph Hellwig
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.