| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jan 2016 17:05:04 -0800
From: Kamal Mostafa <kamal@...onical.com>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
kernel-team@...ts.ubuntu.com
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Maxim Patlasov <mpatlasov@...allels.com>,
Konstantin Khlebnikov <khlebnikov@...dex-team.ru>,
Roman Gushchin <klamm@...dex-team.ru>,
Miklos Szeredi <miklos@...redi.hu>,
Kamal Mostafa <kamal@...onical.com>
Subject: [PATCH 3.19.y-ckt 026/160] fuse: break infinite loop in fuse_fill_write_pages()
3.19.8-ckt13 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Roman Gushchin <klamm@...dex-team.ru>
commit 3ca8138f014a913f98e6ef40e939868e1e9ea876 upstream.
I got a report about unkillable task eating CPU. Further
investigation shows, that the problem is in the fuse_fill_write_pages()
function. If iov's first segment has zero length, we get an infinite
loop, because we never reach iov_iter_advance() call.
Fix this by calling iov_iter_advance() before repeating an attempt to
copy data from userspace.
A similar problem is described in 124d3b7041f ("fix writev regression:
pan hanging unkillable and un-straceable"). If zero-length segmend
is followed by segment with invalid address,
iov_iter_fault_in_readable() checks only first segment (zero-length),
iov_iter_copy_from_user_atomic() skips it, fails at second and
returns zero -> goto again without skipping zero-length segment.
Patch calls iov_iter_advance() before goto again: we'll skip zero-length
segment at second iteraction and iov_iter_fault_in_readable() will detect
invalid address.
Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
description.
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Maxim Patlasov <mpatlasov@...allels.com>
Cc: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
Signed-off-by: Roman Gushchin <klamm@...dex-team.ru>
Signed-off-by: Miklos Szeredi <miklos@...redi.hu>
Fixes: ea9b9907b82a ("fuse: implement perform_write")
Signed-off-by: Kamal Mostafa <kamal@...onical.com>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 760b2c5..60788e9 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1043,6 +1043,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
flush_dcache_page(page);
+ iov_iter_advance(ii, tmp);
if (!tmp) {
unlock_page(page);
page_cache_release(page);
@@ -1055,7 +1056,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
req->page_descs[req->num_pages].length = tmp;
req->num_pages++;
- iov_iter_advance(ii, tmp);
count += tmp;
pos += tmp;
offset += tmp;
--
1.9.1
Powered by blists - more mailing lists