lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 May 2017 01:26:35 +0100 From: Al Viro <viro@...IV.linux.org.uk> To: Shaohua Li <shli@...com> Cc: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, Kernel-team@...com Subject: Re: [PATCH] FS: fix stack-out-of-bounds wanning On Mon, May 08, 2017 at 04:42:50PM -0700, Shaohua Li wrote: > I'm seeing below with lastet upstream. Commit > 5ecda13(generic_file_read_iter(): make use of iov_iter_revert()) > directly pass iter to ->direct_IO(), ->direct_io already advances count > bytes but return -EIOCBQUEUED. In this case, count is bigger than > iov_iter_count(iter). We really want to revert count - > iov_iter_count(iter) instead of the opposite. Already discussed; the patch in my tree is that braino fix + sanity check in iov_iter_revert(), to prevent anything similar in the future. The reason it wasn't caught in tests (without KASAN, that is) is that to get really obvious breakage out of that, you need a short read from ->direct_IO() *and* fallback to cached read after it. -EIOCBQUEUED obviously excludes the latter, so the bug is almost certain to remain quiet. There is a non-zero chance of actually running into unmapped memory while doing that iov_iter_revert(), but it's fairly low. Unfortunately, since that allowed the damn thing to remain unnoticed... Will be in tonight's pull request.
Powered by blists - more mailing lists