From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org, Wenwen Wang <wang6495@umn.edu>,
Mike Snitzer <snitzer@redhat.com>
Subject: Re: [PATCH 181/190] Revert "dm ioctl: harden copy_params()'s copy_from_user() from malicious users"
Date: Tue, 27 Apr 2021 18:58:41 +0200 [thread overview]
Message-ID: <YIhCwe+FVtgm0LlD@kroah.com> (raw)
In-Reply-To: <20210421130105.1226686-182-gregkh@linuxfoundation.org>
On Wed, Apr 21, 2021 at 03:00:56PM +0200, Greg Kroah-Hartman wrote:
> This reverts commit 800a7340ab7dd667edf95e74d8e4f23a17e87076.
>
> Commits from @umn.edu addresses have been found to be submitted in "bad
> faith" to try to test the kernel community's ability to review "known
> malicious" changes. The result of these submissions can be found in a
> paper published at the 42nd IEEE Symposium on Security and Privacy
> entitled, "Open Source Insecurity: Stealthily Introducing
> Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> of Minnesota) and Kangjie Lu (University of Minnesota).
>
> Because of this, all submissions from this group must be reverted from
> the kernel tree and will need to be re-reviewed again to determine if
> they actually are a valid fix. Until that work is complete, remove this
> change to ensure that no problems are being introduced into the
> codebase.
>
> Cc: stable@vger.kernel.org
> Cc: Wenwen Wang <wang6495@umn.edu>
> Cc: Mike Snitzer <snitzer@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/md/dm-ioctl.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
> index 1ca65b434f1f..820342de92cd 100644
> --- a/drivers/md/dm-ioctl.c
> +++ b/drivers/md/dm-ioctl.c
> @@ -1747,7 +1747,8 @@ static void free_params(struct dm_ioctl *param, size_t param_size, int param_fla
> }
>
> static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
> - int ioctl_flags, struct dm_ioctl **param, int *param_flags)
> + int ioctl_flags,
> + struct dm_ioctl **param, int *param_flags)
> {
> struct dm_ioctl *dmi;
> int secure_data;
> @@ -1788,13 +1789,18 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
>
> *param_flags |= DM_PARAMS_MALLOC;
>
> - /* Copy from param_kernel (which was already copied from user) */
> - memcpy(dmi, param_kernel, minimum_data_size);
> -
> - if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
> - param_kernel->data_size - minimum_data_size))
> + if (copy_from_user(dmi, user, param_kernel->data_size))
> goto bad;
> +
> data_copied:
> + /*
> + * Abort if something changed the ioctl data while it was being copied.
> + */
> + if (dmi->data_size != param_kernel->data_size) {
> + DMERR("rejecting ioctl: data size modified while processing parameters");
> + goto bad;
> + }
> +
> /* Wipe the user buffer so we do not return it to userspace */
> if (secure_data && clear_user(user, param_kernel->data_size))
> goto bad;
> --
> 2.31.1
>
Original looks correct, dropping this commit now.
greg k-h
next prev parent reply other threads:[~2021-04-27 16:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210421130105.1226686-1-gregkh@linuxfoundation.org>
2021-04-21 12:58 ` [PATCH 040/190] Revert "ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()" Greg Kroah-Hartman
2021-04-21 17:54 ` Rafael J. Wysocki
2021-04-27 14:50 ` Greg Kroah-Hartman
2021-04-21 12:58 ` [PATCH 041/190] Revert "ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()" Greg Kroah-Hartman
2021-04-21 17:54 ` Rafael J. Wysocki
2021-04-27 14:50 ` Greg Kroah-Hartman
2021-04-21 12:59 ` [PATCH 081/190] Revert "tracing: Fix a memory leak by early error exit in trace_pid_write()" Greg Kroah-Hartman
2021-04-21 13:29 ` Steven Rostedt
2021-04-21 13:33 ` Steven Rostedt
2021-04-21 13:51 ` Greg Kroah-Hartman
2021-04-27 12:00 ` Greg Kroah-Hartman
2021-04-21 12:59 ` [PATCH 119/190] Revert "tty: mxs-auart: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-04-22 5:03 ` Jiri Slaby
2021-04-26 17:03 ` Greg Kroah-Hartman
2021-04-21 12:59 ` [PATCH 120/190] Revert "tty: atmel_serial: " Greg Kroah-Hartman
2021-04-22 5:18 ` Jiri Slaby
2021-04-22 6:47 ` Richard Genoud
2021-04-26 17:04 ` Greg Kroah-Hartman
2021-04-21 12:59 ` [PATCH 121/190] Revert "serial: mvebu-uart: Fix to avoid " Greg Kroah-Hartman
2021-04-22 5:25 ` Jiri Slaby
2021-04-21 13:00 ` [PATCH 134/190] Revert "md: Fix failed allocation of md_register_thread" Greg Kroah-Hartman
2021-04-28 5:46 ` Greg Kroah-Hartman
2021-04-30 6:10 ` Song Liu
2021-04-30 6:34 ` Greg Kroah-Hartman
2021-04-21 13:00 ` [PATCH 181/190] Revert "dm ioctl: harden copy_params()'s copy_from_user() from malicious users" Greg Kroah-Hartman
2021-04-27 16:58 ` Greg Kroah-Hartman [this message]
2021-04-21 13:01 ` [PATCH 187/190] Revert "ALSA: control: fix a redundant-copy issue" Greg Kroah-Hartman
2021-04-21 16:30 ` Takashi Iwai
2021-04-27 13:57 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YIhCwe+FVtgm0LlD@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=stable@vger.kernel.org \
--cc=wang6495@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).