lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1809398.1696238751@warthog.procyon.org.uk> Date: Mon, 02 Oct 2023 10:25:51 +0100 From: David Howells <dhowells@...hat.com> Cc: dhowells@...hat.com, Jens Axboe <axboe@...nel.dk>, Al Viro <viro@...iv.linux.org.uk>, Linus Torvalds <torvalds@...ux-foundation.org>, Christoph Hellwig <hch@....de>, Christian Brauner <christian@...uner.io>, David Laight <David.Laight@...LAB.COM>, Matthew Wilcox <willy@...radead.org>, Jeff Layton <jlayton@...nel.org>, linux-fsdevel@...r.kernel.org, linux-block@...r.kernel.org, linux-mm@...ck.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v7 08/12] iov_iter: Don't deal with iter->copy_mc in memcpy_from_iter_mc() David Howells <dhowells@...hat.com> wrote: > +static size_t __copy_from_iter_mc(void *addr, size_t bytes, struct iov_iter *i) > { > - struct iov_iter *iter = priv2; > + size_t progress; > > - if (iov_iter_is_copy_mc(iter)) > - return copy_mc_to_kernel(to + progress, iter_from, len); > - return memcpy_from_iter(iter_from, progress, len, to, priv2); > + if (unlikely(i->count < bytes)) > + bytes = i->count; > + if (unlikely(!bytes)) > + return 0; > + progress = iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc); > + i->count -= progress; i->count shouldn't be decreased here as iterate_bvec() now does that. This causes the LTP abort01 test to log a warning under KASAN (see below). I'll remove the line and repush the patches. David LTP: starting abort01 ================================================================== BUG: KASAN: stack-out-of-bounds in __copy_from_iter_mc+0x2e6/0x480 Read of size 4 at addr ffffc90004777594 by task abort01/708 CPU: 4 PID: 708 Comm: abort01 Not tainted 99.6.0-rc3-ged6251886a1d #46 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022 Call Trace: <TASK> dump_stack_lvl+0x3d/0x70 print_report+0xce/0x650 ? lock_acquire+0x1b1/0x330 kasan_report+0xda/0x110 ? __copy_from_iter_mc+0x2e6/0x480 ? __copy_from_iter_mc+0x2e6/0x480 __copy_from_iter_mc+0x2e6/0x480 copy_page_from_iter_atomic+0x517/0x1350 ? __pfx_copy_page_from_iter_atomic+0x10/0x10 ? __filemap_get_folio+0x281/0x6c0 ? folio_wait_writeback+0x53/0x1e0 ? prepare_pages.constprop.0+0x40b/0x6c0 btrfs_copy_from_user+0xc6/0x290 btrfs_buffered_write+0x8c9/0x1190 ? __pfx_btrfs_buffered_write+0x10/0x10 ? _raw_spin_unlock+0x2d/0x50 ? btrfs_file_llseek+0x100/0xf00 ? follow_page_mask+0x69f/0x1e10 btrfs_do_write_iter+0x859/0xff0 ? __pfx_btrfs_file_llseek+0x10/0x10 ? find_held_lock+0x2d/0x110 ? __pfx_btrfs_do_write_iter+0x10/0x10 ? __up_read+0x211/0x790 ? __pfx___get_user_pages+0x10/0x10 ? __pfx___up_read+0x10/0x10 ? __kernel_write_iter+0x3be/0x6d0 __kernel_write_iter+0x226/0x6d0 ? __pfx___kernel_write_iter+0x10/0x10 dump_user_range+0x25d/0x650 ? __pfx_dump_user_range+0x10/0x10 ? __pfx_writenote+0x10/0x10 elf_core_dump+0x231f/0x2e90 ? __pfx_elf_core_dump+0x10/0x10 ? do_coredump+0x12a9/0x38c0 ? kasan_set_track+0x25/0x30 ? __kasan_kmalloc+0xaa/0xb0 ? __kmalloc_node+0x6c/0x1b0 ? do_coredump+0x12a9/0x38c0 ? get_signal+0x1e7d/0x20f0 ? 0xffffffffff600000 ? mas_next_slot+0x328/0x1dd0 ? lock_acquire+0x162/0x330 ? do_coredump+0x2537/0x38c0 do_coredump+0x2537/0x38c0 ? __pfx_do_coredump+0x10/0x10 ? kmem_cache_free+0x114/0x520 ? find_held_lock+0x2d/0x110 get_signal+0x1e7d/0x20f0 ? __pfx_get_signal+0x10/0x10 ? do_send_specific+0xf1/0x1c0 ? __pfx_do_send_specific+0x10/0x10 arch_do_signal_or_restart+0x8b/0x4b0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 exit_to_user_mode_prepare+0xde/0x210 syscall_exit_to_user_mode+0x16/0x50 do_syscall_64+0x53/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Powered by blists - more mailing lists