lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Feb 2016 15:35:59 -0700 From: Ross Zwisler <zwisler@...il.com> To: chenjie6@...wei.com, Ross Zwisler <ross.zwisler@...ux.intel.com> Cc: Alexander Viro <viro@...iv.linux.org.uk>, Matthew Wilcox <willy@...ux.intel.com>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, zhihui.gao@...wei.com, LKML <linux-kernel@...r.kernel.org>, lizefan@...wei.com, stable@...r.kernel.org Subject: Re: [PATCH] bugfix of access a invalid addr On Wed, Feb 17, 2016 at 3:02 AM, <chenjie6@...wei.com> wrote: > From: chenjie <chenjie6@...wei.com> > > when we run fs_fsbase_t, some testcase like > write05 failed > > write05 0 TINFO : Enter Block 1: test with bad fd > write05 1 TPASS : received EBADF as expected. > write05 0 TINFO : Exit Block 1 > write05 0 TINFO : Enter Block 2: test with a bad address > write05 2 TFAIL : write() on an invalid buffer succeeded, > but should have failed I'm not sure what fs_fsbase_t is, but when testing by hand I do correctly see an error when I give a bogus user address to dax_io(). Here's the check that fails: if (iov_iter_rw(iter) == WRITE) { len = copy_from_iter_pmem(dax.addr, max - pos, iter); need_wmb = true; } else if (!hole) len = copy_to_iter((void __force *) dax.addr, max - pos, iter); else len = iov_iter_zero(max - pos, iter); if (!len) { rc = -EFAULT; break; } This last if(!len) check fails, and we return -EFAULT. Can you share a small test program to that reproduces incorrect behavior? > > Cc: <stable@...r.kernel.org> > Signed-off-by: chenjie <chenjie6@...wei.com> > > --- > fs/dax.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/dax.c b/fs/dax.c > index fc2e314..e1b1ff6 100644 > --- a/fs/dax.c > +++ b/fs/dax.c > @@ -214,6 +214,11 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter, > max = min(pos + size, end); > } > > + if (unlikely(iov_iter_fault_in_readable(iter, max - pos))) { > + retval = -EFAULT; This doesn't compile... s/retval/rc/
Powered by blists - more mailing lists