Received: by 10.213.65.68 with SMTP id h4csp266267imn; Fri, 23 Mar 2018 04:17:52 -0700 (PDT) X-Google-Smtp-Source: AG47ELvFsKezrfgR0JawF9ApBma6jUBLo/jryTQC/mWiVe5o/tYRa2V/+n9HQsS6nXpVPGAkD8jp X-Received: by 2002:a17:902:a60d:: with SMTP id u13-v6mr10252073plq.161.1521803872080; Fri, 23 Mar 2018 04:17:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521803872; cv=none; d=google.com; s=arc-20160816; b=tkWN2+AK0iySIvIMqiHJ3yQbDwPAHhBDkUKpkXK7f/LB4BYacwjp9E4enYdTZEK8KG IjlbD8jwnUn2i1dBfNYML9kWNSlr5HBq3GPj2n/GiEUYhv+orKyGeZwrWvXjxNCixSXC Fz0k1ITUCcKKUCJatoUWKP8qBb6DINNBQbID2X8cdJGQK4BU9z1BYYClxHvRtBJgsaDA tlTZH8zG0wwZMXX6A85c9sL4JTym0IiFkwGRH/88CP/Vz83s/py0dAjYp9p1k4TtaLor C+q/6dHF+qPIAt7iBfr72K5iFZ46Mgt2bs7Nd4pgqrL6noTSFxJbJBOFEkY2EWaWtVpd py9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=mU2SE8eC6bBvKT1gXQEiEVOGYn0v/1lJ1fqjq1Y+V0Q=; b=EFXjNbp+1F1vT+0ei2PX+6rFZc4fvKFMS1vHv2AoThVvyu6wKACocBHXGiU1JVAXd3 DYJz8bxNjcdh8Rbd5nQpPubnYDiYlwriVXlwGeemPgSQNE7h4fop88OmVmxwS1zXlE4n aqryWHs9dLmTu3B4c/1IJxDyQiK0qTkEJ/ZV/DwjWyzoZ6eqPoTWSYuH7lJMmVwTvCqD 9+F0njszcZ4m6SsnNwchVz8G5sEianth9kgGKCAxzBw7sb20B6yZwktmWQ0OEy3BHIv9 Mh9iJTlNJSpySR+8KzIGgS41BK4NDmhXVuw/BquZqtwEuTKnUAB8WSo9VdM8/hg0J+b6 5aeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id az5-v6si8038230plb.617.2018.03.23.04.17.37; Fri, 23 Mar 2018 04:17:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932502AbeCWKJh (ORCPT + 99 others); Fri, 23 Mar 2018 06:09:37 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42176 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932204AbeCWKJc (ORCPT ); Fri, 23 Mar 2018 06:09:32 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 24AA8F80; Fri, 23 Mar 2018 10:09:31 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Monakhov , Nicholas Bellinger , Sasha Levin Subject: [PATCH 4.9 119/177] tcm_fileio: Prevent information leak for short reads Date: Fri, 23 Mar 2018 10:54:07 +0100 Message-Id: <20180323094210.510511343@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323094205.090519271@linuxfoundation.org> References: <20180323094205.090519271@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry Monakhov [ Upstream commit f11b55d13563e9428c88c873f4f03a6bef11ec0a ] If we failed to read data from backing file (probably because some one truncate file under us), we must zerofill cmd's data, otherwise it will be returned as is. Most likely cmd's data are unitialized pages from page cache. This result in information leak. (Change BUG_ON into -EINVAL se_cmd failure - nab) testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5 Signed-off-by: Dmitry Monakhov Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/target/target_core_file.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) --- a/drivers/target/target_core_file.c +++ b/drivers/target/target_core_file.c @@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd, else ret = vfs_iter_read(fd, &iter, &pos); - kfree(bvec); - if (is_write) { if (ret < 0 || ret != data_length) { pr_err("%s() write returned %d\n", __func__, ret); - return (ret < 0 ? ret : -EINVAL); + if (ret >= 0) + ret = -EINVAL; } } else { /* @@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd, pr_err("%s() returned %d, expecting %u for " "S_ISBLK\n", __func__, ret, data_length); - return (ret < 0 ? ret : -EINVAL); + if (ret >= 0) + ret = -EINVAL; } } else { if (ret < 0) { pr_err("%s() returned %d for non S_ISBLK\n", __func__, ret); - return ret; + } else if (ret != data_length) { + /* + * Short read case: + * Probably some one truncate file under us. + * We must explicitly zero sg-pages to prevent + * expose uninizialized pages to userspace. + */ + if (ret < data_length) + ret += iov_iter_zero(data_length - ret, &iter); + else + ret = -EINVAL; } } } - return 1; + kfree(bvec); + return ret; } static sense_reason_t