Received: by 10.192.165.148 with SMTP id m20csp4289934imm; Mon, 30 Apr 2018 15:40:07 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoYNo4+XIAPv+VEk1M4MPjwD/zQR2gnk8qMIlcCAcJKe7DsKi59/wSFaBjHDkYUDwaVfIp0 X-Received: by 10.98.150.150 with SMTP id s22mr13041096pfk.191.1525128007227; Mon, 30 Apr 2018 15:40:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525128007; cv=none; d=google.com; s=arc-20160816; b=AdcA9QvauraddL9NRwxg9ukubhQ5WPo8uZmIGYD57luGa5vsR6H+P0EU2Wdp71kR2y PTKpnBkjhFavblI4ZM907wvyfKTK+AFejRwVzHi+uap+UYAvFpnRkpT+YtoIbId3n+mK doWiTqpRAyc2ec/YJnSfQQhc6y3VvsVtubhWsGOsMX6kKCdWhPOWyuVVT12EkHCCvs4O 5yuhND3dwoizzP5d50AURrMGcGIyEs93tJfG8KWsqhBa4o98SKBJ/+prBsjSnDZntFuK Ov0++g2dE5L6eHNoTywn0KqhLaIkOGeNo+BOd/WQjHXSDZNoewBRd3G5YHDsW2PZ/V3b NxiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :arc-authentication-results; bh=4Wcr0ubrJakSsZ63B05QYEsBrfMgGTaJqjTrOiJyvXY=; b=x6iOTAAng8S9xTrTolLGTB5Ovh2xTtHxOpukHJppeSmkB/67iFkl1RcTbKrO9L7uaD ZmVVUTBvjgnSHHOVAoNjjIqQGJDMz9x4LBOIhrUMTquC6FnsKgYu6gonyg8DsKfOXOre Oql6oIgYvXTeSQvWfNItCQhr7XHTpzwlDMsxRaVazGooMPUVHowEsf5STcgenTliEyU9 lz5nwMUggcfUbgKxPWXy8xkNIDbzA30H7CRb/haCt2CUWKpelf65oRehgQb7CaVHZudo KkmnaoSly/GZgka2NxC0NFqtF4ytaiBr4YVUz7CdGPFrsoidTKQINHuHRpaKPA0LPqEB hI5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y4-v6si3838387pgc.588.2018.04.30.15.39.52; Mon, 30 Apr 2018 15:40:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755285AbeD3Wif convert rfc822-to-8bit (ORCPT + 99 others); Mon, 30 Apr 2018 18:38:35 -0400 Received: from mga03.intel.com ([134.134.136.65]:37470 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755174AbeD3Wid (ORCPT ); Mon, 30 Apr 2018 18:38:33 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 15:38:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,348,1520924400"; d="scan'208";a="37655642" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga008.jf.intel.com with ESMTP; 30 Apr 2018 15:38:31 -0700 Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 30 Apr 2018 15:38:32 -0700 Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by fmsmsx158.amr.corp.intel.com ([169.254.15.166]) with mapi id 14.03.0319.002; Mon, 30 Apr 2018 15:38:31 -0700 From: "Dilger, Andreas" To: Greg Kroah-Hartman CC: Wenwen Wang , "devel@driverdev.osuosl.org" , Ben Evans , Jeff Layton , Aastha Gupta , "kjlu@umn.edu" , NeilBrown , "linux-kernel@vger.kernel.org" , "Drokin, Oleg" , "lustre-devel@lists.lustre.org" Subject: Re: [PATCH] staging: luster: llite: fix a potential missing-check bug when copying lumv Thread-Topic: [PATCH] staging: luster: llite: fix a potential missing-check bug when copying lumv Thread-Index: AQHT3oHTyuO7iDQp7kKGVoSdfIZNdqQWzXsAgAFkrACAAi4cgA== Date: Mon, 30 Apr 2018 22:38:30 +0000 Message-ID: <69A8B9D9-9330-4750-BAAC-94480A1072D5@intel.com> References: <1524872704-13391-1-git-send-email-wang6495@umn.edu> <8E6ADED8-592E-4794-8CAB-913A325B1971@intel.com> <20180429132058.GB5972@kroah.com> In-Reply-To: <20180429132058.GB5972@kroah.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.252.137.157] Content-Type: text/plain; charset="us-ascii" Content-ID: <1B3EDF9F6BEF61488FF8FDD386B0AAE6@intel.com> Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Apr 29, 2018, at 07:20, Greg Kroah-Hartman wrote: > > On Sat, Apr 28, 2018 at 04:04:25PM +0000, Dilger, Andreas wrote: >> On Apr 27, 2018, at 17:45, Wenwen Wang wrote: >>> [PATCH] staging: luster: llite: fix potential missing-check bug when copying lumv >> >> (typo) s/luster/lustre/ >> >>> In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space >>> using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is >>> LOV_USER_MAGIV_V3, lumv3 will be modified by the second copy from the user >> >> (typo) s/MAGIV/MAGIC/ >> >>> space. The second copy is necessary, because the two versions (i.e., >>> lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths. >>> However, given that the user data resides in the user space, a malicious >>> user-space process can race to change the data between the two copies. By >>> doing so, the attacker can provide a data with an inconsistent version, >>> e.g., v1 version + v3 data. This can lead to logical errors in the >>> following execution in ll_dir_setstripe(), which performs different actions >>> according to the version specified by the field lmm_magic. >> >> This isn't a serious bug in the end. The LOV_USER_MAGIC_V3 check just copies >> a bit more data from userspace (the lmm_pool field). It would be more of a >> problem if the reverse was possible (copy smaller V1 buffer, but change the >> magic to LOV_USER_MAGIC_V3 afterward), but this isn't possible since the second >> copy is not done if there is a V1 magic. If the user changes from V3 magic >> to V1 in a racy manner it means less data will be used than copied, which >> is harmless. >> >>> This patch rechecks the version field lmm_magic in the second copy. If the >>> version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be >>> returned: -EINVAL. >> >> This isn't a bad idea in any case, since it verifies the data copied from >> userspace is still valid. > > So you agree with this patch? Or do not? > > confused, I don't think it fixes a real bug, but it makes the code a bit more clear, so I'm OK to land it (with minor corrections to commit message per above). Cheers, Andreas -- Andreas Dilger Lustre Principal Architect Intel Corporation