lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130311204601.GA22369@kroah.com>
Date:	Mon, 11 Mar 2013 13:46:01 -0700
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Security Officers <security@...nel.org>,
	Al Viro <viro@...IV.linux.org.uk>, stable@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio,
 readv, writev, and security keys

On Mon, Feb 25, 2013 at 10:20:36AM -0500, Mathieu Desnoyers wrote:
> Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
> compat_process_vm_rw() shows that the compatibility code requires an
> explicit "access_ok()" check before calling
> compat_rw_copy_check_uvector(). The same difference seems to appear when
> we compare fs/read_write.c:do_readv_writev() to
> fs/compat.c:compat_do_readv_writev().
> 
> This subtle difference between the compat and non-compat requirements
> should probably be debated, as it seems to be error-prone. In fact,
> there are two others sites that use this function in the Linux kernel,
> and they both seem to get it wrong:
> 
> Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
> also ends up calling compat_rw_copy_check_uvector() through
> aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
> be missing. Same situation for
> security/keys/compat.c:compat_keyctl_instantiate_key_iov().
> 
> I propose that we add the access_ok() check directly into
> compat_rw_copy_check_uvector(), so callers don't have to worry about it,
> and it therefore makes the compat call code similar to its non-compat
> counterpart. Place the access_ok() check in the same location where
> copy_from_user() can trigger a -EFAULT error in the non-compat code, so
> the ABI behaviors are alike on both compat and non-compat.
> 
> While we are here, fix compat_do_readv_writev() so it checks for
> compat_rw_copy_check_uvector() negative return values.
> 
> And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
> handling.
> 
> Acked-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Acked-by: Al Viro <viro@...IV.linux.org.uk>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
> ---
>  fs/compat.c            |   15 +++++++--------
>  mm/process_vm_access.c |    8 --------
>  security/keys/compat.c |    4 ++--
>  3 files changed, 9 insertions(+), 18 deletions(-)

What ever happened to this patch?  I don't see it in Linus's tree, was
it not correct?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ