Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1017356imm; Fri, 15 Jun 2018 09:50:20 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLTl9YLKF7QLgrNGq6jIna8Z3/xxmvUciC3ar1SNxYg+nOGxQ7fukLX2HgR3F4KS+i+PMmM X-Received: by 2002:a62:6e01:: with SMTP id j1-v6mr2786804pfc.93.1529081419906; Fri, 15 Jun 2018 09:50:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529081419; cv=none; d=google.com; s=arc-20160816; b=j4wz4Qj18Cfkl+VRSgoh6JnPuWu2qsM7KrR1xL6aBKX0Qks6imqNpvCFnJ/NeTov6M L+c/MEcHjN1CPbWMIdXklL+KbLhTbTbfofH4bCyJobsIT+xzarBPMbW7+rcA6B852QMH is7cqc042vTaL1H9EomAiHMX6bsYC2pRqDHqBkSwQnj+uB/a++7T6AFIIPVaKIZao2R0 ZCawn8GrcQoQPz2Li4M8EX7AMObYKQVV4GpdnL5J7keLkNsqAzZkIrUuyuJQle5aEVV7 OsrG/FcTHD3BjNPtvojX900X0hEauHu6eG0wnaWRz/W8zNabVAQDKqB1Ie72CNtjB16F maSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=40fk6r6PSAm4b1zfD8WUe1q8l+OF3Eh8puIPKh9SVPM=; b=YTjHOyMZJGC8LMjsjpP5IcLHPPXTJ1Ifu1jehLx0k5iBb7mX/HOvPrzLIj1P/Lt7eH 2Fa9o60IBa7rN10dambuTc3GhgeGW2/XxBNSiIl7z8A9CF5Z5Y0gtmh9NkCdMHXOmTGV Y0JDNpC0wCCabPu00ebZFfBGf+c5UyuKcSKYjQwSDh2I1KutdbT7WDqhJxG6kUvNQVVf oguIkd0K385ECxLnt0eVCRlKdw/AZczJifIqkcOrGqQhI1RsRuMz3R6fQkV1hYRopihr U5zP3o0800ynTtcdf18Y8qzKIKe7pnDe1Vto3Htsof2acYOI1nRKck6wjuyn5VjM9Awc jvLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3-v6si8253577plb.2.2018.06.15.09.50.05; Fri, 15 Jun 2018 09:50:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966132AbeFOQtk (ORCPT + 99 others); Fri, 15 Jun 2018 12:49:40 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:40224 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966024AbeFOQtg (ORCPT ); Fri, 15 Jun 2018 12:49:36 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.87 #1 (Red Hat Linux)) id 1fTruk-0005zP-Iq; Fri, 15 Jun 2018 16:49:30 +0000 Date: Fri, 15 Jun 2018 17:49:30 +0100 From: Al Viro To: Jann Horn Cc: Jens Axboe , FUJITA Tomonori , Doug Gilbert , "James E.J. Bottomley" , "Martin K. Petersen" , linux-block@vger.kernel.org, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, security@kernel.org Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release Message-ID: <20180615164930.GE30522@ZenIV.linux.org.uk> References: <20180615152335.208202-1-jannh@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180615152335.208202-1-jannh@google.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 15, 2018 at 05:23:35PM +0200, Jann Horn wrote: > As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit > to be called under KERNEL_DS"), sg and bsg improperly access userspace > memory outside the provided buffer, permitting kernel memory corruption via > splice(). > But they don't just do it on ->write(), also on ->read() and (in the case > of bsg) even on ->release(). > > As a band-aid, make sure that the ->read() and ->write() handlers can not > be called in weird contexts (kernel context or credentials different from > file opener), like for ib_safe_file_access(). > Also, completely prevent user memory accesses from ->release(). Band-aid it is, and a bloody awful one, at that. What the hell is going on in bsg_put_device() and can it _ever_ hit that call chain? I.e. bsg_release() bsg_put_device() blk_complete_sgv4_hdr_rq() ->complete_rq() copy_to_user() If it can, the whole thing is FUBAR by design - ->release() may bloody well be called in a context that has no userspace at all. This is completely insane; what's going on there?