lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Nov 2015 19:44:14 -0700 From: Jens Axboe <axboe@...nel.dk> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Al Viro <viro@...iv.linux.org.uk>, Sasha Levin <sasha.levin@...cle.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Matthew Wilcox <willy@...ux.intel.com>, Chuck Ebbert <cebbert.lkml@...il.com>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Dan Williams <dan.j.williams@...el.com> Subject: Re: fs: out of bounds on stack in iov_iter_advance On 11/10/2015 07:41 PM, Jens Axboe wrote: > On 11/10/2015 07:40 PM, Jens Axboe wrote: >> On 11/10/2015 07:31 PM, Linus Torvalds wrote: >>> On Tue, Nov 10, 2015 at 6:25 PM, Jens Axboe <axboe@...nel.dk> wrote: >>>> On Tue, Nov 10 2015, Linus Torvalds wrote: >>>>> Al, ping? >>>>> >>>>> On Thu, Nov 5, 2015 at 7:38 PM, Linus Torvalds >>>>> <torvalds@...ux-foundation.org> wrote: >>>>>> On Thu, Nov 5, 2015 at 6:19 PM, Al Viro <viro@...iv.linux.org.uk> >>>>>> wrote: >>>>>>> >>>>>>> How are we going to handle that one? I can put it into mainline >>>>>>> pull >>>>>>> request via vfs.git, with Cc: stable, but if e.g. Jens prefers to >>>>>>> take it >>>>>>> via the block tree, I'll be glad to leave it for him to deal with. >>>>>> >>>>>> Put it in the vfs tree (I'm hoping for a pull request soon..) >>>>>> >>>>>> I pulled the block trees from Jens yesterday, so there is presumably >>>>>> nothing pending there right now. >>>>> >>>>> Apparently my "hoping for a pull request soon" was ridiculously >>>>> optimistic. >>>>> >>>>> Al, looking at the most recent linux-next, most of the vfs commits >>>>> there seem to be committed in the last day or two. I'm getting the >>>>> feeling that that is all 4.5 material by now. >>>>> >>>>> Should I just take the iov patch as-is, since apparently no vfs pull >>>>> request is happening this merge cycle? And no, I'm not taking >>>>> "developed during the second week of the merge window, and sent in the >>>>> last few days of it". I'm done with that. >>>> >>>> I've got 8 other patches pending for a post core merge, just waiting >>>> for >>>> the last core pull request to go in. I haven't seen this iov iter fix, >>>> though. >>> >>> It was in this thread, looked like this (without the whitespace damage): >>> >>> dax_io(): don't let non-error value escape via retval instead of >>> EFAULT >>> >>> Signed-off-by: Al Viro <viro@...iv.linux.org.uk> >>> --- >>> diff --git a/fs/dax.c b/fs/dax.c >>> index a86d3cc..7b653e9 100644 >>> --- a/fs/dax.c >>> +++ b/fs/dax.c >>> @@ -169,8 +169,10 @@ static ssize_t dax_io(struct inode *inode, >>> struct iov_iter *iter, >>> else >>> len = iov_iter_zero(max - pos, iter); >>> >>> - if (!len) >>> + if (!len) { >>> + retval = -EFAULT; >>> break; >>> + } >>> >>> pos += len; >>> addr += len; >>> >>> >>> although I don't think I saw a confirmation that that was what Sasha >>> actually hit (but Sasha had narrowed it down to DAX, so it looks >>> possible/likely) >> >> I found it right after sending that email. Patch looks pretty straight >> forward, at least from the case of max - pos != 0 and len == 0 on >> return. Might be cleaner to add a >> >> if (retval < 0) >> break; >> >> check, that should be the case where max == pos anyway. But we'd >> potentially return -Exx into -EFAULT for that case with the patch. >> >> Hmm? > > So we already do that, in the 'if' above. I think the patch looks fine. Queued up. Unless Al objects, it'll be part of the 'for-linus' pull later this week. -- Jens Axboe -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists