Received: by 10.192.165.148 with SMTP id m20csp4301395imm; Mon, 30 Apr 2018 15:57:29 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq0zTOP6lkeLNsK+f08sd28SNB3nm8blIQkV62nV3wdDUamDaBDBoGgwg6FvRd7iVlXTyKE X-Received: by 2002:a63:6d0b:: with SMTP id i11-v6mr11150253pgc.276.1525129048977; Mon, 30 Apr 2018 15:57:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525129048; cv=none; d=google.com; s=arc-20160816; b=viurTaPD0O7Lko1AR1+MQHUrKeDlPf+YrpJbmld7CswGEAIk2Fhb+9nBkAHAh24hYT WHNBKraAN2hZpquJrUL2bHzLbwBgd3R37+M4eKxjExfdSdZs+Tj5SW5hZoqLvt/Abv7F IpVWON7gbhK/7ms06sKeUpnQwa8Dp5bdgtGSoGQJ3yt2jAkZ4Ct7Ytop0NUPqXtSHV8T BR634ugjxFieHcf/ahONCush5yLIO75SaoTm0bGcG7GkCk6ifAo7JoPKdRzrDEZaXI8z MDJjF3D53UMnFKbON7NiyGhFbflPfsOv61vfOsLOgodJS5l9elA+KZKm0Xx+Lpho/CH4 4Wdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=siySWm5t1k0xsR8xZ5ji6MNrRRAyB4bge94Hf3Z/J04=; b=KJ/qvWfqcPsKaim3z/KuBtznldOxKjF2Aq95BPsa1+dmKWjgr7AIodAkuQDxSzSg4b 1Gk41Z6qY+Xji9cKpAQ08s1glHDLMTr6gc208lcdg8zcR9Xw+Q6bRScrnvQ1nSaTRtYx 513K6SNITvYT11aBSG7sLb6bbP2ZOzigRE9+bV599yJnZsjgud+rb1dqAthaX0+FvkL+ wAqbdpYpBWF816QE7LijLlSVfzVo/w+FGDOu1V/Jy1zlOH4MC061M/xjj6n0pVBesCV3 75ICqEd+vo9LSauqOgOgJQ03BRZvTrnuoGZhfTp0BXCHCOQtm3PEQZJC8Ufep2k1ngCQ PwWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=FfRG/QfK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l13-v6si6771039pgq.201.2018.04.30.15.57.14; Mon, 30 Apr 2018 15:57:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=FfRG/QfK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754183AbeD3W4j (ORCPT + 99 others); Mon, 30 Apr 2018 18:56:39 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:41768 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751384AbeD3W4g (ORCPT ); Mon, 30 Apr 2018 18:56:36 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id BF82D9B for ; Mon, 30 Apr 2018 22:56:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCuF8OVw30ET for ; Mon, 30 Apr 2018 17:56:35 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 8C2F06EC for ; Mon, 30 Apr 2018 17:56:35 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id q8-v6so10157195ioh.7 for ; Mon, 30 Apr 2018 15:56:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=siySWm5t1k0xsR8xZ5ji6MNrRRAyB4bge94Hf3Z/J04=; b=FfRG/QfKtWNpbikvcLeHQx3Ju8v2bHzk/Pw7ZJtD0hi8m735scVUL9Q2t6SSrd+e2T TEli8re9drlqbV0uQ/8WYSFFxBTU7YeOQw/ioEYc1EzLj271p22yIlKUbRGukBJMO27q ldIaPaN10j+l4nY5Q19I/UlxPWPwjd/Aidy73e7hEqWNstFQIHKKt3OGhGPuV/6XCEn1 wItdO1e2QUP4Cy1L33ma7xUvwDRzSCuTbLbEidYIeUxQf0/jpE1aQ+pduXR8WK3nBPBm BbS9FGy+olMamHQUXHF/NZ3dsDm5P0FRrQiT7by6zR8rN1w2fYMIzzyDzw2tqUNEtyEH mfcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=siySWm5t1k0xsR8xZ5ji6MNrRRAyB4bge94Hf3Z/J04=; b=cXPaKu8E9hbGC6ZGKHZwxxqxLkzT1X9u52Xlgb8R2ZbhCejqIUw1RchW05qAl1ji1F +syDOgUX3G4g13NfLHWsTZh0rnTUQRXxEyV8VR1eihsvrP1+l2IDMi+j08a4FsuF2ThH 3AmoGbPS82fSraWv5BBHRQv0Jz85mkbwJM7ECJm8VdzmO7rgkDpLdi6iM6JsskJL5gOG fekBykkgbPnSMNgZeMSaehEMzAziplxlh4dRw/6eHUjb1kRq+SW4dRPvr8sNo9nYWPUY pqQ1DaAVh4moZwqGdGrfja5d2eZw2GkBXpu2YKqhE7JCZ0xiRGuxWzGsgrq1f+aOXzRM xR+g== X-Gm-Message-State: ALQs6tByjwCkYSvbo4PM2/ZNJDx9ZFj/SanlSMnpXhR/fQK0zGOEdIHo JobNK0G7OG2Qyg8rQlPWMAqdIDfK3TFCaMsJIo9UOJCFJbG8BH0UahIhbNX5Csy0q2V7dT+QRpF gqT58bMyJ20CYxAjvKzpWpQbLOU8Q X-Received: by 2002:a6b:9403:: with SMTP id w3-v6mr13718312iod.189.1525128995156; Mon, 30 Apr 2018 15:56:35 -0700 (PDT) X-Received: by 2002:a6b:9403:: with SMTP id w3-v6mr13718300iod.189.1525128994954; Mon, 30 Apr 2018 15:56:34 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id k14-v6sm1134388iok.10.2018.04.30.15.56.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Apr 2018 15:56:34 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Oleg Drokin , Andreas Dilger , James Simmons , Greg Kroah-Hartman , Aastha Gupta , NeilBrown , Roman Storozhenko , Luis de Bethencourt , Jeff Layton , lustre-devel@lists.lustre.org (moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM), devel@driverdev.osuosl.org (open list:STAGING SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv Date: Mon, 30 Apr 2018 17:56:10 -0500 Message-Id: <1525128971-8946-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is LOV_USER_MAGIC_V3, lumv3 will be modified by the second copy from the user space. The second copy is necessary, because the two versions (i.e., lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths. However, given that the user data resides in the user space, a malicious user-space process can race to change the data between the two copies. By doing so, the attacker can provide a data with an inconsistent version, e.g., v1 version + v3 data. This can lead to logical errors in the following execution in ll_dir_setstripe(), which performs different actions according to the version specified by the field lmm_magic. This patch rechecks the version field lmm_magic in the second copy. If the version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be returned: -EINVAL. Signed-off-by: Wenwen Wang --- drivers/staging/lustre/lustre/llite/dir.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c index d10d272..80d44ca 100644 --- a/drivers/staging/lustre/lustre/llite/dir.c +++ b/drivers/staging/lustre/lustre/llite/dir.c @@ -1185,6 +1185,8 @@ static long ll_dir_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (lumv1->lmm_magic == LOV_USER_MAGIC_V3) { if (copy_from_user(&lumv3, lumv3p, sizeof(lumv3))) return -EFAULT; + if (lumv3.lmm_magic != LOV_USER_MAGIC_V3) + return -EINVAL; } if (is_root_inode(inode)) -- 2.7.4