Received: by 10.192.165.148 with SMTP id m20csp4506441imm;
        Mon, 30 Apr 2018 21:07:24 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqYojncOJjmMIkMDbAhwEvOioAeqK35lL122OdiumA86m660EqFL9+ElDh5YPBXlaPXDm1u
X-Received: by 2002:a17:902:7209:: with SMTP id ba9-v6mr13177702plb.119.1525147644561;
        Mon, 30 Apr 2018 21:07:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525147644; cv=none;
        d=google.com; s=arc-20160816;
        b=liFrJ988etPn7pB3RXWMVyJ5p5+1z3kH552lJmX0q4LrDm/DdXHJyfD5BxZKgc3nHd
         us/Wxd9NU/awfyrmBr49n+5jFF5EGOSrjBhBBhkKaQ6gsLpOWnk76F0tSdExoVGO5tCs
         j/ilN9KPrdzicR5+QjgkIzfsK/1lyWskv2XkjcWuWH8oTXjyRcDjjZ+Ic800nPMgt7W4
         ORuVJpeBeoJVkU/lX/prC57vYYZCbLaADaKXnWwG63AvFZ/+x/iPRtiy2jUi42/LKIYc
         1UmetmAYAIw6M8tL0IBxZsKDYpyv4IuzRH1bs6RWL2tUDup3QCXGZ+13sC094r0n6DTR
         BZmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-id:content-language:accept-language:in-reply-to:references
         :message-id:date:thread-index:thread-topic:subject:cc:to:from
         :arc-authentication-results;
        bh=HosSnsjdjgwQ8Nn9Go1yYYWIYy1FZaP+Ayi8MnZUf90=;
        b=nxFkM4qRTMedYhY0Bhm65JHy1pGnisATlSNj5w2ONtYNKorJncXwMINWzF0sMOzmCC
         idUKhyw4e00ff/ldJdNzmDDe/COsLFH2rVMIeKoC0wc36ezcGBTtHUVWqcESfpaPNu8u
         KcoIBToGOVEh5UIAEvMBOxiviQAMmZ1cfUyAN+lSPTv6qAPPp4Run1xEpWBuvbfo9XK4
         Jqq5J6/PP7DsFWqp+kbpabin9bpaqkDxOkWCionro/IpYoNBAud8h7bgMrH6l9EWEIl2
         LPV//GKSm+Q+t+5kpORyLm/KaNk3jz0dhIYqsSsj6fHDrVrqmiuBSgf50Lgpv5LSQ0Qw
         uH5A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l12-v6si7177748pga.536.2018.04.30.21.07.10;
        Mon, 30 Apr 2018 21:07:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751074AbeEAEG7 convert rfc822-to-8bit (ORCPT
        <rfc822;chaneybenjamini@gmail.com> + 99 others);
        Tue, 1 May 2018 00:06:59 -0400
Received: from mga06.intel.com ([134.134.136.31]:18335 "EHLO mga06.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750817AbeEAEG6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 May 2018 00:06:58 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 21:06:58 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,349,1520924400"; 
   d="scan'208";a="37444768"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
  by orsmga007.jf.intel.com with ESMTP; 30 Apr 2018 21:06:57 -0700
Received: from fmsmsx157.amr.corp.intel.com (10.18.116.73) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 30 Apr 2018 21:06:57 -0700
Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by
 FMSMSX157.amr.corp.intel.com ([169.254.14.141]) with mapi id 14.03.0319.002;
 Mon, 30 Apr 2018 21:06:56 -0700
From:   "Dilger, Andreas" <andreas.dilger@intel.com>
To:     Wenwen Wang <wang6495@umn.edu>
CC:     Kangjie Lu <kjlu@umn.edu>, "Drokin, Oleg" <oleg.drokin@intel.com>,
        "James Simmons" <jsimmons@infradead.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Aastha Gupta <aastha.gupta4104@gmail.com>,
        NeilBrown <neilb@suse.com>,
        Roman Storozhenko <romeusmeister@gmail.com>,
        Luis de Bethencourt <luisbg@kernel.org>,
        Jeff Layton <jlayton@redhat.com>,
        "moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM" 
        <lustre-devel@lists.lustre.org>,
        "open list:STAGING SUBSYSTEM" <devel@driverdev.osuosl.org>,
        open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check
 bug when copying lumv
Thread-Topic: [PATCH v2] staging: lustre: llite: fix potential missing-check
 bug when copying lumv
Thread-Index: AQHT4NZ/GvK7CQDrfEibHz/EWOxvVaQat1qA
Date:   Tue, 1 May 2018 04:06:56 +0000
Message-ID: <BA97D240-2B0A-4AD4-B83B-201C285E4DEB@intel.com>
References: <1525128971-8946-1-git-send-email-wang6495@umn.edu>
In-Reply-To: <1525128971-8946-1-git-send-email-wang6495@umn.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.252.137.157]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9C44E211C32C8846B8454FF0FA5249FC@intel.com>
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Apr 30, 2018, at 16:56, Wenwen Wang <wang6495@umn.edu> wrote:
> 
> In ll_dir_ioctl(), the object lumv3 is firstly copied from the user space
> using Its address, i.e., lumv1 = &lumv3. If the lmm_magic field of lumv3 is
> LOV_USER_MAGIC_V3, lumv3 will be modified by the second copy from the user
> space. The second copy is necessary, because the two versions (i.e.,
> lov_user_md_v1 and lov_user_md_v3) have different data formats and lengths.
> However, given that the user data resides in the user space, a malicious
> user-space process can race to change the data between the two copies. By
> doing so, the attacker can provide a data with an inconsistent version,
> e.g., v1 version + v3 data. This can lead to logical errors in the
> following execution in ll_dir_setstripe(), which performs different actions
> according to the version specified by the field lmm_magic.
> 
> This patch rechecks the version field lmm_magic in the second copy.  If the
> version is not as expected, i.e., LOV_USER_MAGIC_V3, an error code will be
> returned: -EINVAL.
> 
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>

Thanks for the updated patch.

Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>

> ---
> drivers/staging/lustre/lustre/llite/dir.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c
> index d10d272..80d44ca 100644
> --- a/drivers/staging/lustre/lustre/llite/dir.c
> +++ b/drivers/staging/lustre/lustre/llite/dir.c
> @@ -1185,6 +1185,8 @@ static long ll_dir_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> 		if (lumv1->lmm_magic == LOV_USER_MAGIC_V3) {
> 			if (copy_from_user(&lumv3, lumv3p, sizeof(lumv3)))
> 				return -EFAULT;
> +			if (lumv3.lmm_magic != LOV_USER_MAGIC_V3)
> +				return -EINVAL;
> 		}
> 
> 		if (is_root_inode(inode))
> -- 
> 2.7.4
> 

Cheers, Andreas
--
Andreas Dilger
Lustre Principal Architect
Intel Corporation