| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130311205345.GA9410@Krystal> Date: Mon, 11 Mar 2013 16:53:45 -0400 From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Security Officers <security@...nel.org>, Al Viro <viro@...IV.linux.org.uk>, stable@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys * Greg Kroah-Hartman (gregkh@...uxfoundation.org) wrote: > On Mon, Feb 25, 2013 at 10:20:36AM -0500, Mathieu Desnoyers wrote: > > Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to > > compat_process_vm_rw() shows that the compatibility code requires an > > explicit "access_ok()" check before calling > > compat_rw_copy_check_uvector(). The same difference seems to appear when > > we compare fs/read_write.c:do_readv_writev() to > > fs/compat.c:compat_do_readv_writev(). > > > > This subtle difference between the compat and non-compat requirements > > should probably be debated, as it seems to be error-prone. In fact, > > there are two others sites that use this function in the Linux kernel, > > and they both seem to get it wrong: > > > > Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() > > also ends up calling compat_rw_copy_check_uvector() through > > aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to > > be missing. Same situation for > > security/keys/compat.c:compat_keyctl_instantiate_key_iov(). > > > > I propose that we add the access_ok() check directly into > > compat_rw_copy_check_uvector(), so callers don't have to worry about it, > > and it therefore makes the compat call code similar to its non-compat > > counterpart. Place the access_ok() check in the same location where > > copy_from_user() can trigger a -EFAULT error in the non-compat code, so > > the ABI behaviors are alike on both compat and non-compat. > > > > While we are here, fix compat_do_readv_writev() so it checks for > > compat_rw_copy_check_uvector() negative return values. > > > > And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error > > handling. > > > > Acked-by: Linus Torvalds <torvalds@...ux-foundation.org> > > Acked-by: Al Viro <viro@...IV.linux.org.uk> > > Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com> > > --- > > fs/compat.c | 15 +++++++-------- > > mm/process_vm_access.c | 8 -------- > > security/keys/compat.c | 4 ++-- > > 3 files changed, 9 insertions(+), 18 deletions(-) > > What ever happened to this patch? I don't see it in Linus's tree, was > it not correct? Not sure. My guess would be that there is missing proof that I actually tested the patch by generating a OOPS splat and proof that it actually fixes it. I mainly tested that it does not break _correct_ use of aio, but I did not have enough time to created my own custom aio lib to generate the issue. So if this is what is expected, I might need a bit of help on this front. Testing odd behavior through libaio proved to non-straightforward. Thoughts ? Thanks, Mathieu > > thanks, > > greg k-h -- Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists