[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130311204601.GA22369@kroah.com>
Date: Mon, 11 Mar 2013 13:46:01 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Security Officers <security@...nel.org>,
Al Viro <viro@...IV.linux.org.uk>, stable@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio,
readv, writev, and security keys
On Mon, Feb 25, 2013 at 10:20:36AM -0500, Mathieu Desnoyers wrote:
> Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
> compat_process_vm_rw() shows that the compatibility code requires an
> explicit "access_ok()" check before calling
> compat_rw_copy_check_uvector(). The same difference seems to appear when
> we compare fs/read_write.c:do_readv_writev() to
> fs/compat.c:compat_do_readv_writev().
>
> This subtle difference between the compat and non-compat requirements
> should probably be debated, as it seems to be error-prone. In fact,
> there are two others sites that use this function in the Linux kernel,
> and they both seem to get it wrong:
>
> Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
> also ends up calling compat_rw_copy_check_uvector() through
> aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
> be missing. Same situation for
> security/keys/compat.c:compat_keyctl_instantiate_key_iov().
>
> I propose that we add the access_ok() check directly into
> compat_rw_copy_check_uvector(), so callers don't have to worry about it,
> and it therefore makes the compat call code similar to its non-compat
> counterpart. Place the access_ok() check in the same location where
> copy_from_user() can trigger a -EFAULT error in the non-compat code, so
> the ABI behaviors are alike on both compat and non-compat.
>
> While we are here, fix compat_do_readv_writev() so it checks for
> compat_rw_copy_check_uvector() negative return values.
>
> And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
> handling.
>
> Acked-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Acked-by: Al Viro <viro@...IV.linux.org.uk>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
> ---
> fs/compat.c | 15 +++++++--------
> mm/process_vm_access.c | 8 --------
> security/keys/compat.c | 4 ++--
> 3 files changed, 9 insertions(+), 18 deletions(-)
What ever happened to this patch? I don't see it in Linus's tree, was
it not correct?
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists