lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <affc1b9e84738b96f2e4e24a6fc95e09ef9a7b4b.1456308281.git.jslaby@suse.cz>
Date:	Wed, 24 Feb 2016 11:05:17 +0100
From:	Jiri Slaby <jslaby@...e.cz>
To:	stable@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	Roman Gushchin <klamm@...dex-team.ru>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Maxim Patlasov <mpatlasov@...allels.com>,
	Konstantin Khlebnikov <khlebnikov@...dex-team.ru>,
	Miklos Szeredi <miklos@...redi.hu>, Jiri Slaby <jslaby@...e.cz>
Subject: [PATCH 3.12 122/142] fuse: break infinite loop in fuse_fill_write_pages()

From: Roman Gushchin <klamm@...dex-team.ru>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3ca8138f014a913f98e6ef40e939868e1e9ea876 upstream.

I got a report about unkillable task eating CPU. Further
investigation shows, that the problem is in the fuse_fill_write_pages()
function. If iov's first segment has zero length, we get an infinite
loop, because we never reach iov_iter_advance() call.

Fix this by calling iov_iter_advance() before repeating an attempt to
copy data from userspace.

A similar problem is described in 124d3b7041f ("fix writev regression:
pan hanging unkillable and un-straceable"). If zero-length segmend
is followed by segment with invalid address,
iov_iter_fault_in_readable() checks only first segment (zero-length),
iov_iter_copy_from_user_atomic() skips it, fails at second and
returns zero -> goto again without skipping zero-length segment.

Patch calls iov_iter_advance() before goto again: we'll skip zero-length
segment at second iteraction and iov_iter_fault_in_readable() will detect
invalid address.

Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
description.

Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Maxim Patlasov <mpatlasov@...allels.com>
Cc: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
Signed-off-by: Roman Gushchin <klamm@...dex-team.ru>
Signed-off-by: Miklos Szeredi <miklos@...redi.hu>
Fixes: ea9b9907b82a ("fuse: implement perform_write")
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
 fs/fuse/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index d08c108065e1..8ef52e12cd57 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -988,6 +988,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
 		tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
 		flush_dcache_page(page);
 
+		iov_iter_advance(ii, tmp);
 		if (!tmp) {
 			unlock_page(page);
 			page_cache_release(page);
@@ -1000,7 +1001,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
 		req->page_descs[req->num_pages].length = tmp;
 		req->num_pages++;
 
-		iov_iter_advance(ii, tmp);
 		count += tmp;
 		pos += tmp;
 		offset += tmp;
-- 
2.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ