Received: by 10.192.165.148 with SMTP id m20csp3044149imm; Sun, 29 Apr 2018 12:40:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqThXZXimiLT1qMHMt9jt5XI8FtnxO+l+shAT9feW7BPMQcJDRzaURLc1/FQX8PUuX8xNfT X-Received: by 2002:a17:902:988b:: with SMTP id s11-v6mr5873808plp.304.1525030849477; Sun, 29 Apr 2018 12:40:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525030849; cv=none; d=google.com; s=arc-20160816; b=mTxxA/5tcYCv4ZF1Cf2rTuhoaCA2o2pFgleyFM4sWXedMVBoMpm7IxSm1C4vG6dx0b zlEVaX9rpM1DWxaVvEy6zt1aD9u5TFa4KVbYE19LQK4vT11sCCOo88qdeO75k8qOdfhY 5cJvVoWJ3H+Tww5JPQjroy467Fl9zYItJZ380mCk52qbvP8C1OfDapNYlmIaFS9syhOZ zD13sTSXdZHdj/xOzJWrMWR4j6b7ZKYUi4aupYhqa+GEQSTL1UWXZd85nYojtVJCwuD/ u5ssicI+hXkIpzTGqb3fv7p0T7U54XcRUT6zfLQCziunyFmszPeoDN1rtC+ikkvg+dIh s37g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dmarc-filter:arc-authentication-results; bh=Og71V/8oVIEN6QVmr42jFCvQOrmTOron7ftibU1wfFw=; b=WqyQdnzrRVhU6+M6SZZhB+uwlx/LiQw10GKaPai90uH5CvsVHMx01JJB8LjyEs5aWx MFC1aA0M+B7EFGKXLaXlutrXwsXLTIBqIPZsTL8x2vlOM/kGpIzqUIPLXWNG6ffrXEzJ DLZ+dijAVZLXpdn4036f4hSv6AjwJXdJfWjJiqxTA50AaeNvIN+OeAfQ4Wgr58mxPI4q MxPAdA2m68x+Zd9+gTU6XdYTOjAZgX08JiV5pW8svZKxf0jQ3YPUwN62vCRLIB0qRdUH h8/EFxd7OGAv34y100J8soprX+KcE8LtjRrzHnGWZTHDZD95XYx2sKYJjeHCTVz8TXcx mjZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v41-v6si6003784plg.451.2018.04.29.12.40.35; Sun, 29 Apr 2018 12:40:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754220AbeD2TkQ (ORCPT + 99 others); Sun, 29 Apr 2018 15:40:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:42236 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753546AbeD2TkL (ORCPT ); Sun, 29 Apr 2018 15:40:11 -0400 Received: from localhost (mobile-166-137-179-035.mycingular.net [166.137.179.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E6C55229EA; Sun, 29 Apr 2018 19:40:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E6C55229EA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org Date: Sun, 29 Apr 2018 15:20:58 +0200 From: Greg Kroah-Hartman To: "Dilger, Andreas" Cc: Wenwen Wang , "devel@driverdev.osuosl.org" , Ben Evans , Jeff Layton , Aastha Gupta , "kjlu@umn.edu" , NeilBrown , "linux-kernel@vger.kernel.org" , "Drokin, Oleg" , "lustre-devel@lists.lustre.org" Subject: Re: [PATCH] staging: luster: llite: fix a potential missing-check bug when copying lumv Message-ID: <20180429132058.GB5972@kroah.com> References: <1524872704-13391-1-git-send-email-wang6495@umn.edu> <8E6ADED8-592E-4794-8CAB-913A325B1971@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8E6ADED8-592E-4794-8CAB-913A325B1971@intel.com> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 28, 2018 at 04:04:25PM +0000, Dilger, Andreas wrote: > On Apr 27, 2018, at 17:45, Wenwen Wang wrote: > > [PATCH] staging: luster: llite: fix potential missing-check bug when copying lumv > > (typo) s/luster/lustre/ > > > In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space > > using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is > > LOV_USER_MAGIV_V3, lumv3 will be modified by the second copy from the user > > (typo) s/MAGIV/MAGIC/ > > > space. The second copy is necessary, because the two versions (i.e., > > lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths. > > However, given that the user data resides in the user space, a malicious > > user-space process can race to change the data between the two copies. By > > doing so, the attacker can provide a data with an inconsistent version, > > e.g., v1 version + v3 data. This can lead to logical errors in the > > following execution in ll_dir_setstripe(), which performs different actions > > according to the version specified by the field lmm_magic. > > This isn't a serious bug in the end. The LOV_USER_MAGIC_V3 check just copies > a bit more data from userspace (the lmm_pool field). It would be more of a > problem if the reverse was possible (copy smaller V1 buffer, but change the > magic to LOV_USER_MAGIC_V3 afterward), but this isn't possible since the second > copy is not done if there is a V1 magic. If the user changes from V3 magic > to V1 in a racy manner it means less data will be used than copied, which > is harmless. > > > This patch rechecks the version field lmm_magic in the second copy. If the > > version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be > > returned: -EINVAL. > > This isn't a bad idea in any case, since it verifies the data copied from > userspace is still valid. So you agree with this patch? Or do not? confused, greg k-h