From: Al Viro <viro@ZenIV.linux.org.uk>
To: Jann Horn <jannh@google.com>
Cc: Jens Axboe <axboe@kernel.dk>,
FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>,
Doug Gilbert <dgilbert@interlog.com>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-block@vger.kernel.org, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, security@kernel.org
Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release
Date: Fri, 15 Jun 2018 17:49:30 +0100 [thread overview]
Message-ID: <20180615164930.GE30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180615152335.208202-1-jannh@google.com>
On Fri, Jun 15, 2018 at 05:23:35PM +0200, Jann Horn wrote:
> As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit
> to be called under KERNEL_DS"), sg and bsg improperly access userspace
> memory outside the provided buffer, permitting kernel memory corruption via
> splice().
> But they don't just do it on ->write(), also on ->read() and (in the case
> of bsg) even on ->release().
>
> As a band-aid, make sure that the ->read() and ->write() handlers can not
> be called in weird contexts (kernel context or credentials different from
> file opener), like for ib_safe_file_access().
> Also, completely prevent user memory accesses from ->release().
Band-aid it is, and a bloody awful one, at that. What the hell is going on
in bsg_put_device() and can it _ever_ hit that call chain? I.e.
bsg_release()
bsg_put_device()
blk_complete_sgv4_hdr_rq()
->complete_rq()
copy_to_user()
If it can, the whole thing is FUBAR by design - ->release() may bloody well
be called in a context that has no userspace at all.
This is completely insane; what's going on there?
next prev parent reply other threads:[~2018-06-15 16:49 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 15:23 [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release Jann Horn
2018-06-15 16:40 ` Al Viro
2018-06-15 16:44 ` Jann Horn
2018-06-15 16:53 ` Al Viro
2018-06-15 17:10 ` Al Viro
2018-06-15 17:13 ` Jann Horn
2018-06-15 20:47 ` Douglas Gilbert
2018-06-18 15:26 ` Benjamin Block
2018-06-18 15:37 ` Jens Axboe
2018-06-18 16:16 ` Al Viro
2018-06-18 16:23 ` Jens Axboe
2018-06-21 12:34 ` Christoph Hellwig
2018-06-21 12:51 ` Jann Horn
2018-06-21 13:03 ` Christoph Hellwig
2018-06-21 14:07 ` Jens Axboe
2018-07-08 14:58 ` Christoph Hellwig
2018-07-10 20:53 ` Jann Horn
2018-07-11 6:33 ` Christoph Hellwig
2018-06-15 16:49 ` Al Viro [this message]
2018-06-15 16:58 ` Jann Horn
2018-06-15 17:02 ` Jann Horn
2018-06-21 12:40 ` Christoph Hellwig
2018-06-21 12:54 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180615164930.GE30522@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=axboe@kernel.dk \
--cc=dgilbert@interlog.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=jannh@google.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).