From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=mZRB=PG=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 98A5EC433EF
	for <linux-mm@archiver.kernel.org>; Mon, 18 Oct 2021 22:16:15 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 4C967610FB
	for <linux-mm@archiver.kernel.org>; Mon, 18 Oct 2021 22:16:15 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4C967610FB
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id E8619940012; Mon, 18 Oct 2021 18:16:14 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E0F75940007; Mon, 18 Oct 2021 18:16:14 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CD692940012; Mon, 18 Oct 2021 18:16:14 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0143.hostedemail.com [216.40.44.143])
	by kanga.kvack.org (Postfix) with ESMTP id B7082940007
	for <linux-mm@kvack.org>; Mon, 18 Oct 2021 18:16:14 -0400 (EDT)
Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 7F62982499A8
	for <linux-mm@kvack.org>; Mon, 18 Oct 2021 22:16:14 +0000 (UTC)
X-FDA: 78710967468.21.3205B77
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf08.hostedemail.com (Postfix) with ESMTP id 38F2D30000AC
	for <linux-mm@kvack.org>; Mon, 18 Oct 2021 22:16:11 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 336026112D;
	Mon, 18 Oct 2021 22:16:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1634595373;
	bh=Wj4LSQ5SnZUVixO5M1QY3f7xKJYPQktCc54fJQ6BKFA=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=TM/OwVr7Z1a5OYnT6ttA9P2a77OzWqDwuqEND8jk1JKg56H7HvpjZ/tTtkyeKVItx
	 IrsuYj/2qhRlRTXQoHbOv1YZIq6GpfFwleSK15Ukq0AWTTmuuy9T5/zunRNGg4vhyg
	 I5htCzccBxwpgUBol9fZGJSd974lnMTTZhFudHF0=
Date: Mon, 18 Oct 2021 15:16:12 -0700
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, christian.brauner@ubuntu.com,
 keescook@chromium.org, linux-mm@kvack.org, mm-commits@vger.kernel.org,
 stable@vger.kernel.org, sunhao.th@gmail.com,
 torvalds@linux-foundation.org, viro@zeniv.linux.org.uk,
 willy@infradead.org, zohar@linux.ibm.com
Subject:  [patch 16/19] vfs: check fd has read access in
 kernel_read_file_from_fd()
Message-ID: <20211018221612.hYn1e83d3%akpm@linux-foundation.org>
In-Reply-To: <20211018151438.f2246e2656c041b6753a8bdd@linux-foundation.org>
User-Agent: s-nail v14.8.16
Authentication-Results: imf08.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b="TM/OwVr7";
	dmarc=none;
	spf=pass (imf08.hostedemail.com: domain of akpm@linux-foundation.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org
X-Rspamd-Server: rspam01
X-Rspamd-Queue-Id: 38F2D30000AC
X-Stat-Signature: 8scoxmtfo1keqai7u3ip6u5mhtxqwnmi
X-HE-Tag: 1634595371-563192
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Subject: vfs: check fd has read access in kernel_read_file_from_fd()

If we open a file without read access and then pass the fd to a syscall
whose implementation calls kernel_read_file_from_fd(), we get a warning
from __kernel_read():

        if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))

This currently affects both finit_module() and kexec_file_load(), but it
could affect other syscalls in the future.

Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Hao Sun <sunhao.th@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/kernel_read_file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/kernel_read_file.c~vfs-check-fd-has-read-access-in-kernel_read_file_from_fd
+++ a/fs/kernel_read_file.c
@@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, lof
 	struct fd f = fdget(fd);
 	int ret = -EBADF;
 
-	if (!f.file)
+	if (!f.file || !(f.file->f_mode & FMODE_READ))
 		goto out;
 
 	ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id);
_