lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20230207133916.3109147-1-dhowells@redhat.com>
Date:   Tue,  7 Feb 2023 13:39:14 +0000
From:   David Howells <dhowells@...hat.com>
To:     Jens Axboe <axboe@...nel.dk>, Al Viro <viro@...iv.linux.org.uk>,
        Christoph Hellwig <hch@...radead.org>
Cc:     David Howells <dhowells@...hat.com>,
        Matthew Wilcox <willy@...radead.org>, Jan Kara <jack@...e.cz>,
        Jeff Layton <jlayton@...nel.org>,
        David Hildenbrand <david@...hat.com>,
        Jason Gunthorpe <jgg@...dia.com>,
        Logan Gunthorpe <logang@...tatee.com>,
        Hillf Danton <hdanton@...a.com>, linux-fsdevel@...r.kernel.org,
        linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org
Subject: [PATCH 0/2] iomap, splice: Fix DIO/splice_read race memory corruptor and kill off ITER_PIPE

Hi Jens, Christoph, Al,

Syzbot found a bug[1] that my bio/FOLL_PIN code[2] inadvertently
introduced.  The problem is that with my patches, pages obtained from
kernel-backed iterators aren't ref'd or pinned when they're extracted and
thus struct bio doesn't retain them.  A DIO-read from a file through iomap
that races with truncate may in __iomap_dio_rw() call iov_iter_revert() on
the iov_iter it was given.

Unfortunately, if the iterator is an ITER_PIPE, the reversion has side
effects: the pages rolled back get released.  Those pages, however, are not
retained by the uncompleted bio and may get modified after their release.

The first patch fixes this by switching to bulk allocating all the
necessary pages up front and adding them to an ITER_BVEC iterator, doing
the I/O and only then trimming the excess pages.  The remaining pages are
then pushed into the pipe.  This has the downside (as the code stands) of
not handling any partial page lurking in the pipe - though that could be
places as the first element in the bvec.  OTOH, using the bulk allocation
API should be more efficient.

As this is the only user of ITER_PIPE, the second patch removes ITER_PIPE
and all its associated iov_iter helper functions.

Thanks to Hillf Danton for spotting that iov_iter_revert() was involved[3].

[!] Jens: Note that there's a window in the linux-block/for-next branch
    with a memory corruptor bug that someone bisecting might hit.  These
    two patches would be better pushed to the front of my iov-extract
    branch to eliminate the window.  Would it be possible for you to
    replace my branch in your for-next branch at this point?

I've pushed the patches here also:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=iov-fixes

David

Link: https://lore.kernel.org/r/000000000000b0b3c005f3a09383@google.com/ [1]
Link: https://lore.kernel.org/r/20230126141626.2809643-1-dhowells@redhat.com/ [2]
Link: https://lore.kernel.org/r/20230207094731.1390-1-hdanton@sina.com/ [3]

David Howells (2):
  vfs, iomap: Fix generic_file_splice_read() to avoid reversion of
    ITER_PIPE
  iov_iter: Kill ITER_PIPE

 fs/cifs/file.c      |   8 +-
 fs/splice.c         |  76 ++++++-
 include/linux/uio.h |  14 --
 lib/iov_iter.c      | 492 +-------------------------------------------
 mm/filemap.c        |   3 -
 5 files changed, 72 insertions(+), 521 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ