Received: by 10.192.165.148 with SMTP id m20csp4289934imm;
        Mon, 30 Apr 2018 15:40:07 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoYNo4+XIAPv+VEk1M4MPjwD/zQR2gnk8qMIlcCAcJKe7DsKi59/wSFaBjHDkYUDwaVfIp0
X-Received: by 10.98.150.150 with SMTP id s22mr13041096pfk.191.1525128007227;
        Mon, 30 Apr 2018 15:40:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525128007; cv=none;
        d=google.com; s=arc-20160816;
        b=AdcA9QvauraddL9NRwxg9ukubhQ5WPo8uZmIGYD57luGa5vsR6H+P0EU2Wdp71kR2y
         PTKpnBkjhFavblI4ZM907wvyfKTK+AFejRwVzHi+uap+UYAvFpnRkpT+YtoIbId3n+mK
         doWiTqpRAyc2ec/YJnSfQQhc6y3VvsVtubhWsGOsMX6kKCdWhPOWyuVVT12EkHCCvs4O
         5yuhND3dwoizzP5d50AURrMGcGIyEs93tJfG8KWsqhBa4o98SKBJ/+prBsjSnDZntFuK
         Ov0++g2dE5L6eHNoTywn0KqhLaIkOGeNo+BOd/WQjHXSDZNoewBRd3G5YHDsW2PZ/V3b
         NxiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-id:content-language:accept-language:in-reply-to:references
         :message-id:date:thread-index:thread-topic:subject:cc:to:from
         :arc-authentication-results;
        bh=4Wcr0ubrJakSsZ63B05QYEsBrfMgGTaJqjTrOiJyvXY=;
        b=x6iOTAAng8S9xTrTolLGTB5Ovh2xTtHxOpukHJppeSmkB/67iFkl1RcTbKrO9L7uaD
         ZmVVUTBvjgnSHHOVAoNjjIqQGJDMz9x4LBOIhrUMTquC6FnsKgYu6gonyg8DsKfOXOre
         Oql6oIgYvXTeSQvWfNItCQhr7XHTpzwlDMsxRaVazGooMPUVHowEsf5STcgenTliEyU9
         lz5nwMUggcfUbgKxPWXy8xkNIDbzA30H7CRb/haCt2CUWKpelf65oRehgQb7CaVHZudo
         KkmnaoSly/GZgka2NxC0NFqtF4ytaiBr4YVUz7CdGPFrsoidTKQINHuHRpaKPA0LPqEB
         hI5A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y4-v6si3838387pgc.588.2018.04.30.15.39.52;
        Mon, 30 Apr 2018 15:40:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755285AbeD3Wif convert rfc822-to-8bit (ORCPT
        <rfc822;chaneybenjamini@gmail.com> + 99 others);
        Mon, 30 Apr 2018 18:38:35 -0400
Received: from mga03.intel.com ([134.134.136.65]:37470 "EHLO mga03.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755174AbeD3Wid (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 18:38:33 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 15:38:32 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,348,1520924400"; 
   d="scan'208";a="37655642"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
  by orsmga008.jf.intel.com with ESMTP; 30 Apr 2018 15:38:31 -0700
Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 30 Apr 2018 15:38:32 -0700
Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by
 fmsmsx158.amr.corp.intel.com ([169.254.15.166]) with mapi id 14.03.0319.002;
 Mon, 30 Apr 2018 15:38:31 -0700
From:   "Dilger, Andreas" <andreas.dilger@intel.com>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC:     Wenwen Wang <wang6495@umn.edu>,
        "devel@driverdev.osuosl.org" <devel@driverdev.osuosl.org>,
        Ben Evans <bevans@cray.com>, Jeff Layton <jlayton@redhat.com>,
        Aastha Gupta <aastha.gupta4104@gmail.com>,
        "kjlu@umn.edu" <kjlu@umn.edu>, NeilBrown <neilb@suse.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "Drokin, Oleg" <oleg.drokin@intel.com>,
        "lustre-devel@lists.lustre.org" <lustre-devel@lists.lustre.org>
Subject: Re: [PATCH] staging: luster: llite: fix a potential missing-check
 bug when copying lumv
Thread-Topic: [PATCH] staging: luster: llite: fix a potential missing-check
 bug when copying lumv
Thread-Index: AQHT3oHTyuO7iDQp7kKGVoSdfIZNdqQWzXsAgAFkrACAAi4cgA==
Date:   Mon, 30 Apr 2018 22:38:30 +0000
Message-ID: <69A8B9D9-9330-4750-BAAC-94480A1072D5@intel.com>
References: <1524872704-13391-1-git-send-email-wang6495@umn.edu>
 <8E6ADED8-592E-4794-8CAB-913A325B1971@intel.com>
 <20180429132058.GB5972@kroah.com>
In-Reply-To: <20180429132058.GB5972@kroah.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.252.137.157]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1B3EDF9F6BEF61488FF8FDD386B0AAE6@intel.com>
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Apr 29, 2018, at 07:20, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> 
> On Sat, Apr 28, 2018 at 04:04:25PM +0000, Dilger, Andreas wrote:
>> On Apr 27, 2018, at 17:45, Wenwen Wang <wang6495@umn.edu> wrote:
>>> [PATCH] staging: luster: llite: fix potential missing-check bug when copying lumv
>> 
>> (typo) s/luster/lustre/
>> 
>>> In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space
>>> using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is
>>> LOV_USER_MAGIV_V3, lumv3 will be modified by the second copy from the user
>> 
>> (typo) s/MAGIV/MAGIC/
>> 
>>> space. The second copy is necessary, because the two versions (i.e.,
>>> lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths.
>>> However, given that the user data resides in the user space, a malicious
>>> user-space process can race to change the data between the two copies. By
>>> doing so, the attacker can provide a data with an inconsistent version,
>>> e.g., v1 version + v3 data. This can lead to logical errors in the
>>> following execution in ll_dir_setstripe(), which performs different actions
>>> according to the version specified by the field lmm_magic.
>> 
>> This isn't a serious bug in the end.  The LOV_USER_MAGIC_V3 check just copies
>> a bit more data from userspace (the lmm_pool field).  It would be more of a
>> problem if the reverse was possible (copy smaller V1 buffer, but change the
>> magic to LOV_USER_MAGIC_V3 afterward), but this isn't possible since the second
>> copy is not done if there is a V1 magic.  If the user changes from V3 magic
>> to V1 in a racy manner it means less data will be used than copied, which
>> is harmless.
>> 
>>> This patch rechecks the version field lmm_magic in the second copy.  If the
>>> version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be
>>> returned: -EINVAL.
>> 
>> This isn't a bad idea in any case, since it verifies the data copied from
>> userspace is still valid.
> 
> So you agree with this patch?  Or do not?
> 
> confused,

I don't think it fixes a real bug, but it makes the code a bit more clear,
so I'm OK to land it (with minor corrections to commit message per above).

Cheers, Andreas
--
Andreas Dilger
Lustre Principal Architect
Intel Corporation