Received: by 10.192.165.148 with SMTP id m20csp93138imm; Fri, 4 May 2018 07:12:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpXP3qqUEHdv2wrtMHonWLYWwzPy+HXzhs8lnWBcOti5l4i0+Bhir/drua23sc/nquGYWfi X-Received: by 2002:a17:902:b487:: with SMTP id y7-v6mr13183011plr.135.1525443145717; Fri, 04 May 2018 07:12:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525443145; cv=none; d=google.com; s=arc-20160816; b=JSpblOBQFqKmioLSc29KaG4wMVp+EcV+hgyaT1MhzuJHls+d3eeQzYtPOUnyHc1JZ5 R9pame53DQxLYka+FasUqKkpAdLqTisq+bgZDn/dx+DJ3EcqoKUQsw0rrZbKE80R1jMN IjomSRsRHI1MtTBvaLgqCk5sRqc9TMw3otRYuYcQTh8TLFTlirbeiMVLpmH/LpW5u3MU FYYShoi5suqbxbyERKgduUbzkhEUkF/oTt13sq0pIhedbPbIIj+pcvjWthYG9+MzYd8o pHfRX/rAS6MeJSa2XuJkyj9Ri4qCl1b0CKlnnEhX2ByRoQ0Hpu17x4F6YiSF/APR6q9b CW0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=QlJ8PQIHgNFhTSDdV5E4w3l98EQYSv5eiJt5RYvGkWY=; b=fnkwHFkUOxeiLwIBAMMRjwAjG4Kv/kHuBClda0Q+x/MF0dfTWNlL+jxyddRYoHBEh9 TNog/dcWmZAzipmuc0yYXf0w0wYLvvYjnrK/C88zd5dG+Vim1YDikNbXTCecb1NhFfrz TurN7N32f8KtMvsazhyg46cyj2aUiCp9hVhNUpqiXPN020vdnca+PPjL9Zo0exUuPuzR zW74NhDT6Pu91iT2IzBIxeoMB9LkhcLn6U50P75az43N34Y9/v8z1wnsrQxffzsxGZ9o MU9zSSs33pfFERkxE3MtIyDl420dOQa/zDu0R0cTVzsRjIXbKehmjJ/6AHnkxmdSj9Jo U3xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=mqrkT0sa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p13-v6si12724266pgv.182.2018.05.04.07.12.11; Fri, 04 May 2018 07:12:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=mqrkT0sa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751369AbeEDOL6 (ORCPT + 99 others); Fri, 4 May 2018 10:11:58 -0400 Received: from mta-p4.oit.umn.edu ([134.84.196.204]:58410 "EHLO mta-p4.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751262AbeEDOL5 (ORCPT ); Fri, 4 May 2018 10:11:57 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p4.oit.umn.edu (Postfix) with ESMTP id A627D6BB for ; Fri, 4 May 2018 14:11:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525443116; x=1527257517; bh=N 45YgnGnZZeHHGCFfrCaxWHl/Qz9lcenXPYbHbDgXrw=; b=mqrkT0sa+q7j3FM33 zBt/wgJmaNXwYsyys/rpyKpv+qscOp0JzSmA7pLUv/jNxG+XwpVn43In/1v49zZ4 R/fNBxnLL8pUrTELy60saqMg+33mtWw1MSklONbgPooss70Plo+l+mZHTH7EoWKM 7X7vKrfS8nUwQbMRUa78TwUHZfblHiWeJDmbBHYLla4PYexOrK6t5Lt2YXhm1NXs qa4If9omzdb9xyRVzVMiPY/u8T97eTbKvnIWoEE/GapuGNlKNCmSVgVfMm3G09dF 1D4vs2rlqLvozi9I/UqEIGpW/Ny0bb1cdD2PQxVcW6QIekIT6jamTIdFjymMF7D3 +WjlQ== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p4.oit.umn.edu ([127.0.0.1]) by localhost (mta-p4.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xws_swsVb5nU for ; Fri, 4 May 2018 09:11:56 -0500 (CDT) Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p4.oit.umn.edu (Postfix) with ESMTPSA id 8310F6A0 for ; Fri, 4 May 2018 09:11:56 -0500 (CDT) Received: by mail-io0-f170.google.com with SMTP id d11-v6so25759584iof.11 for ; Fri, 04 May 2018 07:11:56 -0700 (PDT) X-Gm-Message-State: ALQs6tAh+dftjTeeiaZJJpB5NY6CEQkJgMHHjwgXzYJYpGqdL+ebId3Z ohr7Y+zHKclTHHxoTOdx/avYI6oBv3T5QIvAfgQ= X-Received: by 2002:a6b:5010:: with SMTP id e16-v6mr28971809iob.274.1525443116293; Fri, 04 May 2018 07:11:56 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:6f07:0:0:0:0:0 with HTTP; Fri, 4 May 2018 07:11:15 -0700 (PDT) In-Reply-To: <7185D89D-A0FE-4B55-B089-9AF0891A00BF@intel.com> References: <1525128971-8946-1-git-send-email-wang6495@umn.edu> <20180501084621.jfxrm3qoqfmftnxh@mwanda> <7185D89D-A0FE-4B55-B089-9AF0891A00BF@intel.com> From: Wenwen Wang Date: Fri, 4 May 2018 09:11:15 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] staging: lustre: llite: fix potential missing-check bug when copying lumv To: "Dilger, Andreas" Cc: Dan Carpenter , "open list:STAGING SUBSYSTEM" , Aastha Gupta , Roman Storozhenko , Jeff Layton , Greg Kroah-Hartman , Kangjie Lu , NeilBrown , open list , "Drokin, Oleg" , "moderated list:STAGING - LUSTRE PARALLEL FILESYSTEM" , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 4, 2018 at 5:08 AM, Dilger, Andreas wrote: > On May 3, 2018, at 22:19, Wenwen Wang wrote: >> >> On Tue, May 1, 2018 at 3:46 AM, Dan Carpenter wrote: >>> On Mon, Apr 30, 2018 at 05:56:10PM -0500, Wenwen Wang wrote: >>>> However, given that the user data resides in the user space, a malicious >>>> user-space process can race to change the data between the two copies. By >>>> doing so, the attacker can provide a data with an inconsistent version, >>>> e.g., v1 version + v3 data. This can lead to logical errors in the >>>> following execution in ll_dir_setstripe(), which performs different actions >>>> according to the version specified by the field lmm_magic. >>> >>> This part is misleading. The fix is to improve readability and make >>> static checkers happy. You're over dramatizing it to make people think >>> it has a security impact when it doesn't. >>> >>> If the user wants to specify v1 data they can just say that on the first >>> read. They don't need to do funny tricks and race between the two >>> reads. It's allowed. >>> >>> In other words this allows the user to do something in a very >>> complicated way which they are already allowed to do in a very simple >>> straight forward way. >>> >>> regards, >>> dan carpenter >> >> Thanks for your comment, Dan! How about this: >> >> However, given that the user data resides in the user space, a >> malicious user-space process can race to change the data between the >> two copies. By doing so, the attacker can provide a data with an >> inconsistent version, e.g., v1 version + v3 data. The current kernel >> can handle such inconsistent data. But, it may pose a potential >> security risk for future implementations. Also, to improve code >> readability and make static analysis tools happy, which will warn >> about read-verify-re-read type bugs, this issue should be fixed. > > There is nothing preventing the user from using struct lov_mds_md_v3 but > filling in lmm_magic = LOV_MAGIC_V1 from the beginning, no need for a race. > But, if the user uses such a struct, the second fetch won't be executed. This is a little bit different from using LOV_MAGIC_V3 firstly and then changing it to LOV_MAGIC_V1. Wenwen