lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 18 Feb 2016 15:35:59 -0700
From:	Ross Zwisler <zwisler@...il.com>
To:	chenjie6@...wei.com, Ross Zwisler <ross.zwisler@...ux.intel.com>
Cc:	Alexander Viro <viro@...iv.linux.org.uk>,
	Matthew Wilcox <willy@...ux.intel.com>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	zhihui.gao@...wei.com, LKML <linux-kernel@...r.kernel.org>,
	lizefan@...wei.com, stable@...r.kernel.org
Subject: Re: [PATCH] bugfix of access a invalid addr

On Wed, Feb 17, 2016 at 3:02 AM,  <chenjie6@...wei.com> wrote:
> From: chenjie <chenjie6@...wei.com>
>
> when we run fs_fsbase_t, some testcase like
> write05 failed
>
> write05     0  TINFO  :  Enter Block 1: test with bad fd
> write05     1  TPASS  :  received EBADF as expected.
> write05     0  TINFO  :  Exit Block 1
> write05     0  TINFO  :  Enter Block 2: test with a bad address
> write05     2  TFAIL  :  write() on an invalid buffer succeeded,
>                          but should have failed

I'm not sure what fs_fsbase_t is, but when testing by hand I do
correctly see an error when I give a bogus user address to dax_io().
Here's the check that fails:

                 if (iov_iter_rw(iter) == WRITE) {
                         len = copy_from_iter_pmem(dax.addr, max - pos, iter);
                         need_wmb = true;
                 } else if (!hole)
                         len = copy_to_iter((void __force *) dax.addr,
max - pos,
                                         iter);
                 else
                         len = iov_iter_zero(max - pos, iter);

                 if (!len) {
                         rc = -EFAULT;
                         break;
                 }

This last if(!len) check fails, and we return -EFAULT.

Can you share a small test program to that reproduces incorrect behavior?

>
> Cc: <stable@...r.kernel.org>
> Signed-off-by: chenjie <chenjie6@...wei.com>
>
> ---
>  fs/dax.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/fs/dax.c b/fs/dax.c
> index fc2e314..e1b1ff6 100644
> --- a/fs/dax.c
> +++ b/fs/dax.c
> @@ -214,6 +214,11 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter,
>                         max = min(pos + size, end);
>                 }
>
> +               if (unlikely(iov_iter_fault_in_readable(iter, max - pos))) {
> +                       retval = -EFAULT;

This doesn't compile...
s/retval/rc/

Powered by blists - more mailing lists