| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a44acf6edf8714f9e247e8de371d0f00521ec6b5.camel@redhat.com>
Date: Mon, 31 Jul 2023 14:33:28 -0400
From: Laurence Oberman <loberman@...hat.com>
To: Oleksandr Natalenko <oleksandr@...hat.com>,
linux-kernel@...r.kernel.org
Cc: linux-scsi@...r.kernel.org, Saurav Kashyap <skashyap@...vell.com>,
Johannes Thumshirn <Johannes.Thumshirn@....com>,
David Laight <David.Laight@...LAB.COM>,
GR-QLogic-Storage-Upstream@...vell.com,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Jozef Bacik <jobacik@...hat.com>, Rob Evers <revers@...hat.com>
Subject: Re: [PATCH v2 0/3] scsi: qedf: sanitise uaccess
On Mon, 2023-07-31 at 10:40 +0200, Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
>
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
> [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> [<ffffffffaa7aa556>] sprintf+0x56/0x80
> [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90
> [qedf]
> [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
>
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big
> ones,
> and then copying it to the userspace properly.
>
> Changes since v1 [1]:
>
> * use scnprintf() for on-stack buffers too
> * adjust an on-stack buffer size in qedf_dbg_debug_cmd_read() to be
> a
> multiple of 8, and also size it properly
> * accumulate acks and reviews
>
> [1]
> https://lore.kernel.org/lkml/20230728065819.139694-1-oleksandr@redhat.com/
>
> Oleksandr Natalenko (3):
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_stop_io_on_error_cmd_read() directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_debug_cmd_read()
> directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_fp_int_cmd_read()
> directly
>
> drivers/scsi/qedf/qedf_dbg.h | 2 ++
> drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-----------
> --
> 2 files changed, 23 insertions(+), 14 deletions(-)
>
In case it's needed
For the series v2 against 6.5-rc3
Reviewed-by: Laurence Oberman <loberman@...hat.com>
Tested-by: Laurence Oberman <loberman@...hat.com>
Test notes
Linux segstorage5 6.5.0-rc3+
[root@...storage5 qedf]# cd host2
[root@...storage5 host2]# ls
clear_stats debug driver_stats fp_int io_trace offload_stats
stop_io_on_error
[root@...storage5 host2]# cat stop_io_on_error
false
[root@...storage5 host2]# cat fp_int
Fastpath I/O completions
#0: 844
#1: 990
#2: 1036
#3: 1116
#4: 953
#5: 822
#6: 882
#7: 1073
#8: 1030
#9: 992
#10: 789
#11: 705
#12: 490
#13: 532
#14: 646
#15: 705
[root@...storage5 host2]# cat debug
debug mask = 0x2
Powered by blists - more mailing lists