Received: by 10.192.165.148 with SMTP id m20csp590924imm; Fri, 4 May 2018 03:08:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp9La8t1AsZOsL690xAoV4Nrlgxe8GK/KTQsbthQEmt3fdaiCR92bT83Nj+5+0CKOM6Jk90 X-Received: by 2002:a17:902:b942:: with SMTP id h2-v6mr28038633pls.312.1525428524903; Fri, 04 May 2018 03:08:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525428524; cv=none; d=google.com; s=arc-20160816; b=MwzELw0rmrjbUUl2wDiH8Z+7bWlXTBqoYzcZeW+5DxWSqeOq3Jmzb5m6ItFj8j6frb HHS7ODoc7swcUituUFL1m7R+T/evGZQt10eDfZG64++NbicR+nz4EKl+m0mVFWpHQN5C EHf3FY5w4kcOllgQZNawlSbkGv9A3FuSfvXoNfMEB6a4T9+trYKJrdBgaQSEMJvjNBX1 J30ZYiNfw+gwfwBgj9t5bCMjTpt+Z6VEJnzTJuh0QHiESGkHh7II2MZiKM7fZVDKl/Up kGTl4vlbgkoEamMrHZelh70kqzou0bJ2KnRHOxpM/KXaKQzjSe/zfoUeiaMILDt33gCi 90og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :arc-authentication-results; bh=SArg6+OBwHqXroSlgQzJBBXN25Mcl54k9DRGwgY2u9w=; b=XTSqrWRuFwhAIjTex2E0b7tNF21aXP5osJUcQrgmyJnrfejZE57dPOjOZ8hW6jW4Cy UFQFf4DPi0n562uBG914YRjcMLyU4Znj7lA6aOGT6+7zN6ROk7uFEcRxeeFN7Ze5Q6JK HqgJyN8SCDa3YZ7PBPC5vZ5p/2vi5aCmkYMGRvleu65Me5e9fpekY/48Odbp3RZGevSE XLX4hHmhp1DlTKQS5wN7wXJULqYmwoy0JlvJqmwZjTlYOI8eIFU/8zAKN1e29M37THRy IimgFXSOA7xxdmYRMyKClscTixvvQQKWGxwgdNlgaVohygxnuMs1GcgueBHagwFwt8QB M3dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p83si15839445pfl.279.2018.05.04.03.08.30; Fri, 04 May 2018 03:08:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751432AbeEDKIT convert rfc822-to-8bit (ORCPT + 99 others); Fri, 4 May 2018 06:08:19 -0400 Received: from mga01.intel.com ([192.55.52.88]:44503 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750820AbeEDKIR (ORCPT ); Fri, 4 May 2018 06:08:17 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 May 2018 03:08:17 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,362,1520924400"; d="scan'208";a="225738080" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga005.fm.intel.com with ESMTP; 04 May 2018 03:08:17 -0700 Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 4 May 2018 03:08:17 -0700 Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by FMSMSX154.amr.corp.intel.com ([169.254.6.14]) with mapi id 14.03.0319.002; Fri, 4 May 2018 03:08:16 -0700 From: "Dilger, Andreas" To: Wenwen Wang CC: Dan Carpenter , "open list:STAGING SUBSYSTEM" , Aastha Gupta , Roman Storozhenko , Jeff Layton , Greg Kroah-Hartman , Kangjie Lu , NeilBrown , open list , "Drokin, Oleg" , "moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM" Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv Thread-Topic: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv Thread-Index: AQHT4NZ/GvK7CQDrfEibHz/EWOxvVaQbBW2AgARseICAAGFnAA== Date: Fri, 4 May 2018 10:08:16 +0000 Message-ID: <7185D89D-A0FE-4B55-B089-9AF0891A00BF@intel.com> References: <1525128971-8946-1-git-send-email-wang6495@umn.edu> <20180501084621.jfxrm3qoqfmftnxh@mwanda> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.252.137.157] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On May 3, 2018, at 22:19, Wenwen Wang wrote: > > On Tue, May 1, 2018 at 3:46 AM, Dan Carpenter wrote: >> On Mon, Apr 30, 2018 at 05:56:10PM -0500, Wenwen Wang wrote: >>> However, given that the user data resides in the user space, a malicious >>> user-space process can race to change the data between the two copies. By >>> doing so, the attacker can provide a data with an inconsistent version, >>> e.g., v1 version + v3 data. This can lead to logical errors in the >>> following execution in ll_dir_setstripe(), which performs different actions >>> according to the version specified by the field lmm_magic. >> >> This part is misleading. The fix is to improve readability and make >> static checkers happy. You're over dramatizing it to make people think >> it has a security impact when it doesn't. >> >> If the user wants to specify v1 data they can just say that on the first >> read. They don't need to do funny tricks and race between the two >> reads. It's allowed. >> >> In other words this allows the user to do something in a very >> complicated way which they are already allowed to do in a very simple >> straight forward way. >> >> regards, >> dan carpenter > > Thanks for your comment, Dan! How about this: > > However, given that the user data resides in the user space, a > malicious user-space process can race to change the data between the > two copies. By doing so, the attacker can provide a data with an > inconsistent version, e.g., v1 version + v3 data. The current kernel > can handle such inconsistent data. But, it may pose a potential > security risk for future implementations. Also, to improve code > readability and make static analysis tools happy, which will warn > about read-verify-re-read type bugs, this issue should be fixed. There is nothing preventing the user from using struct lov_mds_md_v3 but filling in lmm_magic = LOV_MAGIC_V1 from the beginning, no need for a race. Cheers, Andreas -- Andreas Dilger Lustre Principal Architect Intel Corporation