| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 May 2018 04:06:56 +0000
From: "Dilger, Andreas" <andreas.dilger@...el.com>
To: Wenwen Wang <wang6495@....edu>
CC: Kangjie Lu <kjlu@....edu>, "Drokin, Oleg" <oleg.drokin@...el.com>,
"James Simmons" <jsimmons@...radead.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Aastha Gupta <aastha.gupta4104@...il.com>,
NeilBrown <neilb@...e.com>,
Roman Storozhenko <romeusmeister@...il.com>,
Luis de Bethencourt <luisbg@...nel.org>,
Jeff Layton <jlayton@...hat.com>,
"moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM"
<lustre-devel@...ts.lustre.org>,
"open list:STAGING SUBSYSTEM" <devel@...verdev.osuosl.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check
bug when copying lumv
On Apr 30, 2018, at 16:56, Wenwen Wang <wang6495@....edu> wrote:
>
> In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space
> using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is
> LOV_USER_MAGIC_V3, lumv3 will be modified by the second copy from the user
> space. The second copy is necessary, because the two versions (i.e.,
> lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths.
> However, given that the user data resides in the user space, a malicious
> user-space process can race to change the data between the two copies. By
> doing so, the attacker can provide a data with an inconsistent version,
> e.g., v1 version + v3 data. This can lead to logical errors in the
> following execution in ll_dir_setstripe(), which performs different actions
> according to the version specified by the field lmm_magic.
>
> This patch rechecks the version field lmm_magic in the second copy. If the
> version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be
> returned: -EINVAL.
>
> Signed-off-by: Wenwen Wang <wang6495@....edu>
Thanks for the updated patch.
Reviewed-by: Andreas Dilger <andreas.dilger@...el.com>
> ---
> drivers/staging/lustre/lustre/llite/dir.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c
> index d10d272..80d44ca 100644
> --- a/drivers/staging/lustre/lustre/llite/dir.c
> +++ b/drivers/staging/lustre/lustre/llite/dir.c
> @@ -1185,6 +1185,8 @@ static long ll_dir_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> if (lumv1->lmm_magic == LOV_USER_MAGIC_V3) {
> if (copy_from_user(&lumv3, lumv3p, sizeof(lumv3)))
> return -EFAULT;
> + if (lumv3.lmm_magic != LOV_USER_MAGIC_V3)
> + return -EINVAL;
> }
>
> if (is_root_inode(inode))
> --
> 2.7.4
>
Cheers, Andreas
--
Andreas Dilger
Lustre Principal Architect
Intel Corporation
Powered by blists - more mailing lists