Received: by 10.192.165.148 with SMTP id m20csp1294437imm; Fri, 27 Apr 2018 16:55:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoXn7zlcvfM64+ay5jET8t7w4qZijEruQIPg5AEdttZ2+lzYlydbWPQZi+JcXj6bQ2m+0Pb X-Received: by 2002:a17:902:6045:: with SMTP id a5-v6mr4017550plt.138.1524873351891; Fri, 27 Apr 2018 16:55:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524873351; cv=none; d=google.com; s=arc-20160816; b=hDNad3jdRmXXCw/BE/HOjYNblnInwef4dH+avc8qAraNjhbBsl4rGZAGelDb8eO2kW 5bMFvnxdMx0eMxermuD/DdXkY70P+ZtAmH3ARtzh0zcjtLli+xcYv8iWw2srSUVARCpl e0yOEognIRg2emI/iparIbYBanJ1lSQmlj13u0JMBf0Wn0pS1Kn/8XH+wAF+KIEAxtGj z5LhoxqXg3eF/yUwKuF+EeA3jZeUhWqABuXu6wbFFTKp1JOSFXBwdM5fKsuCUJsEQ1QA RAWbhluPxy1+ahkF0qzvjRG5jzbHJPCxRMZpihlTMOHoe9bwZiRz/CpHbp+cFlU+Lbz1 yRkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=q6Gl4P0CS2e1mHpsBuKQbf3BnjL1gzgkxiAFGLyVcGk=; b=kKkEetX9YsMkLhZjcLBkc9QJfCBXdAv+DNDtO4lIiCPdDYf0cFJQnV6uuUuDJRObio 5hhgac65pP1UMpreKQNUevYIgiYMZR43T7k4L7D9KpvHT07h9cTnB1i5uEVOwS2Txob1 F1IFOZCzEpAgdHaPKnKSGSMk+m0qVwd3ZHTQhGtHvI0up7hcKF9afyyY2xrnxVA/4rrV lCY60JiI2zhhv4qHfQSzRU7JdbtOJmikz/CbR5FCKuTVB6GMJfBNLu6Bhup9kgWe+TVa bKuZQmoC3Vp/kknW6Izw3xlZNA+dk2anDlSxC3X3uOYS6twWEq030M50Ktj2WBExK1bt ksCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=MWX7585D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n13-v6si2133791pgd.345.2018.04.27.16.55.37; Fri, 27 Apr 2018 16:55:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=MWX7585D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933140AbeD0Xyb (ORCPT + 99 others); Fri, 27 Apr 2018 19:54:31 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:39962 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932996AbeD0Xya (ORCPT ); Fri, 27 Apr 2018 19:54:30 -0400 X-Greylist: delayed 525 seconds by postgrey-1.27 at vger.kernel.org; Fri, 27 Apr 2018 19:54:29 EDT Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id F1B1E758 for ; Fri, 27 Apr 2018 23:45:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjeFF4PDw_Lp for ; Fri, 27 Apr 2018 18:45:25 -0500 (CDT) Received: from mail-io0-f200.google.com (mail-io0-f200.google.com [209.85.223.200]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id C2DAA570 for ; Fri, 27 Apr 2018 18:45:25 -0500 (CDT) Received: by mail-io0-f200.google.com with SMTP id 76-v6so668561ioh.6 for ; Fri, 27 Apr 2018 16:45:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=q6Gl4P0CS2e1mHpsBuKQbf3BnjL1gzgkxiAFGLyVcGk=; b=MWX7585DPWv9r4FVDNubzGCyUpcLTIhrAhFJ7JIEan+u8C0pvYFfmBjwj0sV6Eiw96 5Th1+gW1PwZ8YB4EJTS+KyW7iMC2eVuFB1BWLdr2VsRowD9E8jdu9XVB4Ziiox7MsFc9 N8O3+azTwhcKcrtV4zNxzCVCFlsYy9/ht8ylXLv9z5v/6KqeMyMftWqZ/TKWN8bbYOgK X5anHItEngw3eavjOUyZs8/aPFnXo4CB9C2hcc6kmg+3hTj2YemLpm5UAJPJR+Gsxsel BJqkF4tG/cqSzu/tFoSH9POonoSY3Bpqmud27X962qGa29yO7ruCpEJ5PJ507bDv94x7 X3dQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=q6Gl4P0CS2e1mHpsBuKQbf3BnjL1gzgkxiAFGLyVcGk=; b=ujEYXkSE166wI/nMAPMg/Cz8rLl3JcD413sz0t0Hhy6TttlEqrAJHe/m+3J83EZu/1 /N+T6iOTceNq0+Yq45CuoaBDNk71zlmTLj9Fo1z12z7UD4OYQvpOlcmNYA1XkbLHqG9e i8E/h7l9Yya6/q+9CZY0x6E97eFhB7VueU2KCXXBaRvvByYR3au/JbURtR+3ERZGGUrU KXSsvBoHzYTjErA7XtJgiNRxsHTVXssWJc0Dl8BtOXbDfh4+62KuT7bEvChM+Z2Fqo5u kjiax6t0d1z3FV1vNZF78y/A/DlmX8RpwTP/Qu9jaFd5luXC2z4yVv9aMicHPBmYoA9x Q6yQ== X-Gm-Message-State: ALQs6tCiXFogbUIKgc+Ilvi6e9XLJ8ejndF3IhdGmf+iTesin0gm7RjN 6nHfiwyZUP9ceV5ECmGK6ApRnm/2nlaT//voaMq/zYQYFRZ+2w0HaUvV1USPxGV90A4+cVCmOiA jQacznyfww7zh7+CdXWiAuEp3ow5v X-Received: by 2002:a6b:350b:: with SMTP id c11-v6mr4164744ioa.87.1524872725369; Fri, 27 Apr 2018 16:45:25 -0700 (PDT) X-Received: by 2002:a6b:350b:: with SMTP id c11-v6mr4164731ioa.87.1524872725107; Fri, 27 Apr 2018 16:45:25 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id o2-v6sm1133139iof.41.2018.04.27.16.45.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 27 Apr 2018 16:45:24 -0700 (PDT) From: Wenwen Wang To: wang6495@umn.edu Cc: kjlu@umn.edu, Oleg Drokin , Andreas Dilger , James Simmons , Greg Kroah-Hartman , Ben Evans , Aastha Gupta , NeilBrown , Jeff Layton , Luis de Bethencourt , lustre-devel@lists.lustre.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org Subject: [PATCH] staging: luster: llite: fix a potential missing-check bug when copying lumv Date: Fri, 27 Apr 2018 18:45:02 -0500 Message-Id: <1524872704-13391-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is LOV_USER_MAGIV_V3, lumv3 will be modified by the second copy from the user space. The second copy is necessary, because the two versions (i.e., lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths. However, given that the user data resides in the user space, a malicious user-space process can race to change the data between the two copies. By doing so, the attacker can provide a data with an inconsistent version, e.g., v1 version + v3 data. This can lead to logical errors in the following execution in ll_dir_setstripe(), which performs different actions according to the version specified by the field lmm_magic. This patch rechecks the version field lmm_magic in the second copy. If the version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be returned: -EINVAL. Signed-off-by: Wenwen Wang --- drivers/staging/lustre/lustre/llite/dir.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c index d10d272..80d44ca 100644 --- a/drivers/staging/lustre/lustre/llite/dir.c +++ b/drivers/staging/lustre/lustre/llite/dir.c @@ -1185,6 +1185,8 @@ static long ll_dir_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (lumv1->lmm_magic == LOV_USER_MAGIC_V3) { if (copy_from_user(&lumv3, lumv3p, sizeof(lumv3))) return -EFAULT; + if (lumv3.lmm_magic != LOV_USER_MAGIC_V3) + return -EINVAL; } if (is_root_inode(inode)) -- 2.7.4