Received: by 10.192.165.148 with SMTP id m20csp4506441imm; Mon, 30 Apr 2018 21:07:24 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqYojncOJjmMIkMDbAhwEvOioAeqK35lL122OdiumA86m660EqFL9+ElDh5YPBXlaPXDm1u X-Received: by 2002:a17:902:7209:: with SMTP id ba9-v6mr13177702plb.119.1525147644561; Mon, 30 Apr 2018 21:07:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525147644; cv=none; d=google.com; s=arc-20160816; b=liFrJ988etPn7pB3RXWMVyJ5p5+1z3kH552lJmX0q4LrDm/DdXHJyfD5BxZKgc3nHd us/Wxd9NU/awfyrmBr49n+5jFF5EGOSrjBhBBhkKaQ6gsLpOWnk76F0tSdExoVGO5tCs j/ilN9KPrdzicR5+QjgkIzfsK/1lyWskv2XkjcWuWH8oTXjyRcDjjZ+Ic800nPMgt7W4 ORuVJpeBeoJVkU/lX/prC57vYYZCbLaADaKXnWwG63AvFZ/+x/iPRtiy2jUi42/LKIYc 1UmetmAYAIw6M8tL0IBxZsKDYpyv4IuzRH1bs6RWL2tUDup3QCXGZ+13sC094r0n6DTR BZmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :arc-authentication-results; bh=HosSnsjdjgwQ8Nn9Go1yYYWIYy1FZaP+Ayi8MnZUf90=; b=nxFkM4qRTMedYhY0Bhm65JHy1pGnisATlSNj5w2ONtYNKorJncXwMINWzF0sMOzmCC idUKhyw4e00ff/ldJdNzmDDe/COsLFH2rVMIeKoC0wc36ezcGBTtHUVWqcESfpaPNu8u KcoIBToGOVEh5UIAEvMBOxiviQAMmZ1cfUyAN+lSPTv6qAPPp4Run1xEpWBuvbfo9XK4 Jqq5J6/PP7DsFWqp+kbpabin9bpaqkDxOkWCionro/IpYoNBAud8h7bgMrH6l9EWEIl2 LPV//GKSm+Q+t+5kpORyLm/KaNk3jz0dhIYqsSsj6fHDrVrqmiuBSgf50Lgpv5LSQ0Qw uH5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12-v6si7177748pga.536.2018.04.30.21.07.10; Mon, 30 Apr 2018 21:07:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751074AbeEAEG7 convert rfc822-to-8bit (ORCPT + 99 others); Tue, 1 May 2018 00:06:59 -0400 Received: from mga06.intel.com ([134.134.136.31]:18335 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750817AbeEAEG6 (ORCPT ); Tue, 1 May 2018 00:06:58 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 21:06:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,349,1520924400"; d="scan'208";a="37444768" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga007.jf.intel.com with ESMTP; 30 Apr 2018 21:06:57 -0700 Received: from fmsmsx157.amr.corp.intel.com (10.18.116.73) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 30 Apr 2018 21:06:57 -0700 Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by FMSMSX157.amr.corp.intel.com ([169.254.14.141]) with mapi id 14.03.0319.002; Mon, 30 Apr 2018 21:06:56 -0700 From: "Dilger, Andreas" To: Wenwen Wang CC: Kangjie Lu , "Drokin, Oleg" , "James Simmons" , Greg Kroah-Hartman , Aastha Gupta , NeilBrown , Roman Storozhenko , Luis de Bethencourt , Jeff Layton , "moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM" , "open list:STAGING SUBSYSTEM" , open list Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv Thread-Topic: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv Thread-Index: AQHT4NZ/GvK7CQDrfEibHz/EWOxvVaQat1qA Date: Tue, 1 May 2018 04:06:56 +0000 Message-ID: References: <1525128971-8946-1-git-send-email-wang6495@umn.edu> In-Reply-To: <1525128971-8946-1-git-send-email-wang6495@umn.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.252.137.157] Content-Type: text/plain; charset="us-ascii" Content-ID: <9C44E211C32C8846B8454FF0FA5249FC@intel.com> Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Apr 30, 2018, at 16:56, Wenwen Wang wrote: > > In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space > using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is > LOV_USER_MAGIC_V3, lumv3 will be modified by the second copy from the user > space. The second copy is necessary, because the two versions (i.e., > lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths. > However, given that the user data resides in the user space, a malicious > user-space process can race to change the data between the two copies. By > doing so, the attacker can provide a data with an inconsistent version, > e.g., v1 version + v3 data. This can lead to logical errors in the > following execution in ll_dir_setstripe(), which performs different actions > according to the version specified by the field lmm_magic. > > This patch rechecks the version field lmm_magic in the second copy. If the > version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be > returned: -EINVAL. > > Signed-off-by: Wenwen Wang Thanks for the updated patch. Reviewed-by: Andreas Dilger > --- > drivers/staging/lustre/lustre/llite/dir.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c > index d10d272..80d44ca 100644 > --- a/drivers/staging/lustre/lustre/llite/dir.c > +++ b/drivers/staging/lustre/lustre/llite/dir.c > @@ -1185,6 +1185,8 @@ static long ll_dir_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > if (lumv1->lmm_magic == LOV_USER_MAGIC_V3) { > if (copy_from_user(&lumv3, lumv3p, sizeof(lumv3))) > return -EFAULT; > + if (lumv3.lmm_magic != LOV_USER_MAGIC_V3) > + return -EINVAL; > } > > if (is_root_inode(inode)) > -- > 2.7.4 > Cheers, Andreas -- Andreas Dilger Lustre Principal Architect Intel Corporation