Received: by 10.192.165.148 with SMTP id m20csp590924imm;
        Fri, 4 May 2018 03:08:44 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp9La8t1AsZOsL690xAoV4Nrlgxe8GK/KTQsbthQEmt3fdaiCR92bT83Nj+5+0CKOM6Jk90
X-Received: by 2002:a17:902:b942:: with SMTP id h2-v6mr28038633pls.312.1525428524903;
        Fri, 04 May 2018 03:08:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525428524; cv=none;
        d=google.com; s=arc-20160816;
        b=MwzELw0rmrjbUUl2wDiH8Z+7bWlXTBqoYzcZeW+5DxWSqeOq3Jmzb5m6ItFj8j6frb
         HHS7ODoc7swcUituUFL1m7R+T/evGZQt10eDfZG64++NbicR+nz4EKl+m0mVFWpHQN5C
         EHf3FY5w4kcOllgQZNawlSbkGv9A3FuSfvXoNfMEB6a4T9+trYKJrdBgaQSEMJvjNBX1
         J30ZYiNfw+gwfwBgj9t5bCMjTpt+Z6VEJnzTJuh0QHiESGkHh7II2MZiKM7fZVDKl/Up
         kGTl4vlbgkoEamMrHZelh70kqzou0bJ2KnRHOxpM/KXaKQzjSe/zfoUeiaMILDt33gCi
         90og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-id:content-language:accept-language:in-reply-to:references
         :message-id:date:thread-index:thread-topic:subject:cc:to:from
         :arc-authentication-results;
        bh=SArg6+OBwHqXroSlgQzJBBXN25Mcl54k9DRGwgY2u9w=;
        b=XTSqrWRuFwhAIjTex2E0b7tNF21aXP5osJUcQrgmyJnrfejZE57dPOjOZ8hW6jW4Cy
         UFQFf4DPi0n562uBG914YRjcMLyU4Znj7lA6aOGT6+7zN6ROk7uFEcRxeeFN7Ze5Q6JK
         HqgJyN8SCDa3YZ7PBPC5vZ5p/2vi5aCmkYMGRvleu65Me5e9fpekY/48Odbp3RZGevSE
         XLX4hHmhp1DlTKQS5wN7wXJULqYmwoy0JlvJqmwZjTlYOI8eIFU/8zAKN1e29M37THRy
         IimgFXSOA7xxdmYRMyKClscTixvvQQKWGxwgdNlgaVohygxnuMs1GcgueBHagwFwt8QB
         M3dg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p83si15839445pfl.279.2018.05.04.03.08.30;
        Fri, 04 May 2018 03:08:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751432AbeEDKIT convert rfc822-to-8bit (ORCPT
        <rfc822;ereslibre@gmail.com> + 99 others);
        Fri, 4 May 2018 06:08:19 -0400
Received: from mga01.intel.com ([192.55.52.88]:44503 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750820AbeEDKIR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 4 May 2018 06:08:17 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 May 2018 03:08:17 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,362,1520924400"; 
   d="scan'208";a="225738080"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201])
  by fmsmga005.fm.intel.com with ESMTP; 04 May 2018 03:08:17 -0700
Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by
 FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Fri, 4 May 2018 03:08:17 -0700
Received: from FMSMSX109.amr.corp.intel.com ([169.254.15.12]) by
 FMSMSX154.amr.corp.intel.com ([169.254.6.14]) with mapi id 14.03.0319.002;
 Fri, 4 May 2018 03:08:16 -0700
From:   "Dilger, Andreas" <andreas.dilger@intel.com>
To:     Wenwen Wang <wang6495@umn.edu>
CC:     Dan Carpenter <dan.carpenter@oracle.com>,
        "open list:STAGING SUBSYSTEM" <devel@driverdev.osuosl.org>,
        Aastha Gupta <aastha.gupta4104@gmail.com>,
        Roman Storozhenko <romeusmeister@gmail.com>,
        Jeff Layton <jlayton@redhat.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kangjie Lu <kjlu@umn.edu>, NeilBrown <neilb@suse.com>,
        open list <linux-kernel@vger.kernel.org>,
        "Drokin, Oleg" <oleg.drokin@intel.com>,
        "moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM" 
        <lustre-devel@lists.lustre.org>
Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check
 bug when copying lumv
Thread-Topic: [PATCH v2] staging: lustre: llite: fix potential missing-check
 bug when copying lumv
Thread-Index: AQHT4NZ/GvK7CQDrfEibHz/EWOxvVaQbBW2AgARseICAAGFnAA==
Date:   Fri, 4 May 2018 10:08:16 +0000
Message-ID: <7185D89D-A0FE-4B55-B089-9AF0891A00BF@intel.com>
References: <1525128971-8946-1-git-send-email-wang6495@umn.edu>
 <20180501084621.jfxrm3qoqfmftnxh@mwanda>
 <CAAa=b7dHK9grwfFLOpVv=Wpv32mLS66CxXJDHOzNBNaqsWLXaA@mail.gmail.com>
In-Reply-To: <CAAa=b7dHK9grwfFLOpVv=Wpv32mLS66CxXJDHOzNBNaqsWLXaA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.252.137.157]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FA118DC446889F4292535D4946A995BC@intel.com>
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On May 3, 2018, at 22:19, Wenwen Wang <wang6495@umn.edu> wrote:
> 
> On Tue, May 1, 2018 at 3:46 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> On Mon, Apr 30, 2018 at 05:56:10PM -0500, Wenwen Wang wrote:
>>> However, given that the user data resides in the user space, a malicious
>>> user-space process can race to change the data between the two copies. By
>>> doing so, the attacker can provide a data with an inconsistent version,
>>> e.g., v1 version + v3 data. This can lead to logical errors in the
>>> following execution in ll_dir_setstripe(), which performs different actions
>>> according to the version specified by the field lmm_magic.
>> 
>> This part is misleading.  The fix is to improve readability and make
>> static checkers happy.  You're over dramatizing it to make people think
>> it has a security impact when it doesn't.
>> 
>> If the user wants to specify v1 data they can just say that on the first
>> read.  They don't need to do funny tricks and race between the two
>> reads.  It's allowed.
>> 
>> In other words this allows the user to do something in a very
>> complicated way which they are already allowed to do in a very simple
>> straight forward way.
>> 
>> regards,
>> dan carpenter
> 
> Thanks for your comment, Dan! How about this:
> 
> However, given that the user data resides in the user space, a
> malicious user-space process can race to change the data between the
> two copies. By doing so, the attacker can provide a data with an
> inconsistent version, e.g., v1 version + v3 data. The current kernel
> can handle such inconsistent data. But, it may pose a potential
> security risk for future implementations. Also, to improve code
> readability and make static analysis tools happy, which will warn
> about read-verify-re-read type bugs, this issue should be fixed.

There is nothing preventing the user from using struct lov_mds_md_v3 but
filling in lmm_magic = LOV_MAGIC_V1 from the beginning, no need for a race.

Cheers, Andreas
--
Andreas Dilger
Lustre Principal Architect
Intel Corporation