| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Oct 2018 17:04:18 +0200
From: Jann Horn <jannh@...gle.com>
To: Al Viro <viro@...iv.linux.org.uk>,
Miklos Szeredi <miklos@...redi.hu>,
Jens Axboe <axboe@...nel.dk>, Jens Axboe <axboe@...com>,
jannh@...gle.com
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Kees Cook <keescook@...omium.org>,
Eric Biggers <ebiggers@...gle.com>
Subject: [PATCH 1/2] splice: don't merge into linked buffers
Before this patch, it was possible for two pipes to affect each other after
data had been transferred between them with tee():
============
$ cat tee_test.c
int main(void) {
int pipe_a[2];
if (pipe(pipe_a)) err(1, "pipe");
int pipe_b[2];
if (pipe(pipe_b)) err(1, "pipe");
if (write(pipe_a[1], "abcd", 4) != 4) err(1, "write");
if (tee(pipe_a[0], pipe_b[1], 2, 0) != 2) err(1, "tee");
if (write(pipe_b[1], "xx", 2) != 2) err(1, "write");
char buf[5];
if (read(pipe_a[0], buf, 4) != 4) err(1, "read");
buf[4] = 0;
printf("got back: '%s'\n", buf);
}
$ gcc -o tee_test tee_test.c
$ ./tee_test
got back: 'abxx'
$
============
Fix it by explicitly marking buffers as mergeable and clearing that flag in
splice_pipe_to_pipe() and link_pipe().
Cc: <stable@...r.kernel.org>
Fixes: 7c77f0b3f920 ("splice: implement pipe to pipe splicing")
Fixes: 70524490ee2e ("[PATCH] splice: add support for sys_tee()")
Signed-off-by: Jann Horn <jannh@...gle.com>
---
Cleanup in the next patch, to simplify backporting.
fs/pipe.c | 5 +++--
fs/splice.c | 6 ++++++
include/linux/pipe_fs_i.h | 8 ++++++++
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index bdc5d3c0977d..4e2eee77f855 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -379,7 +379,8 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
struct pipe_buffer *buf = pipe->bufs + lastbuf;
int offset = buf->offset + buf->len;
- if (buf->ops->can_merge && offset + chars <= PAGE_SIZE) {
+ if (buf->ops->can_merge && offset + chars <= PAGE_SIZE &&
+ (buf->flags & PIPE_BUF_FLAG_MAYMERGE)) {
ret = pipe_buf_confirm(pipe, buf);
if (ret)
goto out;
@@ -439,7 +440,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
buf->ops = &anon_pipe_buf_ops;
buf->offset = 0;
buf->len = copied;
- buf->flags = 0;
+ buf->flags = PIPE_BUF_FLAG_MAYMERGE;
if (is_packetized(filp)) {
buf->ops = &packet_pipe_buf_ops;
buf->flags = PIPE_BUF_FLAG_PACKET;
diff --git a/fs/splice.c b/fs/splice.c
index b3daa971f597..111977c80dfd 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1593,6 +1593,9 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
*/
obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
+ /* We can't merge data into a buffer we don't own. */
+ obuf->flags &= ~PIPE_BUF_FLAG_MAYMERGE;
+
obuf->len = len;
opipe->nrbufs++;
ibuf->offset += obuf->len;
@@ -1667,6 +1670,9 @@ static int link_pipe(struct pipe_inode_info *ipipe,
*/
obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
+ /* We can't merge data into a buffer we don't own. */
+ obuf->flags &= ~PIPE_BUF_FLAG_MAYMERGE;
+
if (obuf->len > len)
obuf->len = len;
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index 5a3bb3b7c9ad..8893711f9171 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -8,6 +8,14 @@
#define PIPE_BUF_FLAG_ATOMIC 0x02 /* was atomically mapped */
#define PIPE_BUF_FLAG_GIFT 0x04 /* page is a gift */
#define PIPE_BUF_FLAG_PACKET 0x08 /* read() as a packet */
+/*
+ * Set this flag if the generic pipe read/write may coalesce data into an
+ * existing buffer. If this is not set, a new pipe page segment is always used
+ * for new data.
+ * When pipe data is copied by reference (as in the tee() syscall), this flag
+ * must be cleared on the copy.
+ */
+#define PIPE_BUF_FLAG_MAYMERGE 0x10
/**
* struct pipe_buffer - a linux kernel pipe buffer
--
2.19.0.605.g01d371f741-goog
Powered by blists - more mailing lists