Received: by 10.213.65.68 with SMTP id h4csp243095imn; Fri, 23 Mar 2018 03:45:36 -0700 (PDT) X-Google-Smtp-Source: AG47ELszTv+kHig4NkLK7ME+lsN/i2Qk1/ilO/6VN4kiDuFYWoeraCz2EAQabdMt5182vZBLo86C X-Received: by 2002:a17:902:c81:: with SMTP id 1-v6mr28621759plt.205.1521801936648; Fri, 23 Mar 2018 03:45:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521801936; cv=none; d=google.com; s=arc-20160816; b=XAsUVVgdqcnka5sVsMnFka363NwXk7xLN6k4SKmkvlvvbAK48Bgr4/34xJ95oWYhCQ zuF4L6bz3Kc7ssial5ReN/Fdb8EVY8uQpeGegGVOwUzxhS586Sf7y7L/Etn1Oqa0qjRb uhDSj28SG2u6+km8TgHXq7rvLzCVAhl+NEwTXKFqmAB1OHD3r6LjbvxS6RdO6LxpVJMa 9jdWCZU5fleBe/U5IBBH4qbj91/oyfJuhp5pWRpkiWEytRtQ79i/ZSkQtBRghyRI/jp+ YbqqkLFCoBrHu7PyncTZ4ergUFmpVv7hWwoe7eaAPs0jlul+MYxGEOF8Upq+a56d0WuV om5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=VLXttpuRcNoJ8PQh/5kD7pRTPsH5wbbJtNCZ/rHWGTY=; b=ErIo/H5Ng8wiE0PL6qs3EXNouDJh5j53Pw0hATCcxiKdEuLVxfetaC5itCM18hV8fm m57sE8c37kX25ZhX5NVuRZUMjdqs/M/hH/IM+S10NPrDscZ36+14ZBvroRnNBiUHDAYR iU6zJ4mAGv1w+UvmAUR5JTzwtQ1EKhD9XGIG15o53PCKTNjdgj/1RCfcVTKSkORxWyJL XxvxkwIHz8ZtIsGVmFgrPsxbWv/9q1hCFqmkIPIGpRS5Dc6DHz4C9032eCS6WkyTkd+l jHf1AMjH/lbgRFsv8Z2cs8zhRKEXSsQ88tvCA5fj98yPCloel0KL5JxSRMidNJGGnH72 xtuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u90si753656pfj.304.2018.03.23.03.45.22; Fri, 23 Mar 2018 03:45:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756458AbeCWKn0 (ORCPT + 99 others); Fri, 23 Mar 2018 06:43:26 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46618 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933588AbeCWKQJ (ORCPT ); Fri, 23 Mar 2018 06:16:09 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id F0E8E37; Fri, 23 Mar 2018 10:16:08 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Monakhov , Nicholas Bellinger , Sasha Levin Subject: [PATCH 4.4 65/97] tcm_fileio: Prevent information leak for short reads Date: Fri, 23 Mar 2018 10:54:52 +0100 Message-Id: <20180323094201.280440066@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323094157.535925724@linuxfoundation.org> References: <20180323094157.535925724@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry Monakhov [ Upstream commit f11b55d13563e9428c88c873f4f03a6bef11ec0a ] If we failed to read data from backing file (probably because some one truncate file under us), we must zerofill cmd's data, otherwise it will be returned as is. Most likely cmd's data are unitialized pages from page cache. This result in information leak. (Change BUG_ON into -EINVAL se_cmd failure - nab) testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5 Signed-off-by: Dmitry Monakhov Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/target/target_core_file.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) --- a/drivers/target/target_core_file.c +++ b/drivers/target/target_core_file.c @@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd, else ret = vfs_iter_read(fd, &iter, &pos); - kfree(bvec); - if (is_write) { if (ret < 0 || ret != data_length) { pr_err("%s() write returned %d\n", __func__, ret); - return (ret < 0 ? ret : -EINVAL); + if (ret >= 0) + ret = -EINVAL; } } else { /* @@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd, pr_err("%s() returned %d, expecting %u for " "S_ISBLK\n", __func__, ret, data_length); - return (ret < 0 ? ret : -EINVAL); + if (ret >= 0) + ret = -EINVAL; } } else { if (ret < 0) { pr_err("%s() returned %d for non S_ISBLK\n", __func__, ret); - return ret; + } else if (ret != data_length) { + /* + * Short read case: + * Probably some one truncate file under us. + * We must explicitly zero sg-pages to prevent + * expose uninizialized pages to userspace. + */ + if (ret < data_length) + ret += iov_iter_zero(data_length - ret, &iter); + else + ret = -EINVAL; } } } - return 1; + kfree(bvec); + return ret; } static sense_reason_t