Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1020954imm; Fri, 15 Jun 2018 09:53:55 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL4fkKkaxER3H1GpGK7Dn3hPgV9Sp7c6xwD5b8b+Fd1Grx59a/lN+iSeYoGkhzibKCWMa39 X-Received: by 2002:a62:449b:: with SMTP id m27-v6mr2836588pfi.130.1529081635550; Fri, 15 Jun 2018 09:53:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529081635; cv=none; d=google.com; s=arc-20160816; b=DYCN79+SJNSvH0ypn4IMgUsv56+K690KvsuPRVTQCOcNPNqCL8P7RFc8NZUuEt5o1k HaY9HZx68aenB6mMloL5amIz2ivaZlTLaUO1hIplfprd6yJeA6Fl4cv5IkejXNGPL6nj /Rtw3B8Osf2QdV8Z9BtuVaby4nvjidoQcwbwyuYj9yB1s22FuxxZq2K+yi9NQHNOHoi5 Br79TcOmmEhis/TFo8tlFERv4EJBJB58S2bpBnTdrv+Kz3qXq1Qf3pGC/iNjHBPkpFS9 EEE3lr7B5ccEXtSp+te/mHi8Cn4Q7NcnW2GWicwgfASul7YreHngMocBvTuVwQ0Cv6l2 NWeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Rq1+gTJi82YHVHf0tT7xtyc1GqZAZl5r/dmZH3+LB9k=; b=AYC4YBLdpGcNcP//rhF61JFlcIDqKLv3xmaw71u5dMKhHfuxkQT+nLCbm0BK8Fg41p NtuUGbiO6gb/izoPaZJlTe7p/tASWhT6KHlQ3jflI+ggEEPEqMwtoC6lm5A6locfTN5M CaAif9B0RC/kds0lyrCcpISMyPByOO/cxbvdVyXT2pDU9s/67apK3BPr+wcxAfbPVVAC Me0sXELobrmg/MZL0nmo35hLkh2mHMEPbH9YB0gfqAtbtkBYSQxAuc6AfuYyexV/ibea +639c9kpAp65109i/9sGDUU2GkU/YglJ0Vll638cXL3DsEIuqk/plKp2AJ0sN8lgNWl6 6zQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w3-v6si6975642pgb.588.2018.06.15.09.53.41; Fri, 15 Jun 2018 09:53:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756127AbeFOQxS (ORCPT + 99 others); Fri, 15 Jun 2018 12:53:18 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:40356 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752703AbeFOQxR (ORCPT ); Fri, 15 Jun 2018 12:53:17 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.87 #1 (Red Hat Linux)) id 1fTryI-00065b-52; Fri, 15 Jun 2018 16:53:10 +0000 Date: Fri, 15 Jun 2018 17:53:10 +0100 From: Al Viro To: Jann Horn Cc: axboe@kernel.dk, fujita.tomonori@lab.ntt.co.jp, dgilbert@interlog.com, jejb@linux.vnet.ibm.com, martin.petersen@oracle.com, linux-block@vger.kernel.org, linux-scsi@vger.kernel.org, kernel list , Kernel Hardening , security@kernel.org Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release Message-ID: <20180615165310.GF30522@ZenIV.linux.org.uk> References: <20180615152335.208202-1-jannh@google.com> <20180615164009.GD30522@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 15, 2018 at 06:44:51PM +0200, Jann Horn wrote: > On Fri, Jun 15, 2018 at 6:40 PM Al Viro wrote: > > > > On Fri, Jun 15, 2018 at 05:23:35PM +0200, Jann Horn wrote: > > > > > I've mostly copypasted ib_safe_file_access() over as > > > scsi_safe_file_access() because I couldn't find a good common header - > > > please tell me if you know a better way. > > > The duplicate pr_err_once() calls are so that each of them fires once; > > > otherwise, this would probably have to be a macro. > > > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > Cc: > > > Signed-off-by: Jann Horn > > > --- > > > > WTF do you mean, in ->release()? That makes no sense whatsoever - > > what kind of copy_{to,from}_user() would be possible in there? > > bsg_release -> bsg_put_device -> bsg_complete_all_commands -> > blk_complete_sgv4_hdr_rq -> bsg_scsi_complete_rq -> copy_to_user. > I don't think that was intentional. > > Basically, the sense buffer is copied to a userspace address supplied > in the previous ->write() when you ->read() the reply. But when you > ->release() the file without reading the reply, they have to clean it > up, and for that, they reuse the same code they use for ->read() - so > the sense buffer is written to userspace on ->release(). Pardon me, that has only one fix - git rm. This is too broken for words - if your reading is correct, the interface is unsalvagable. I hope you *are* misreading it, but if not... how did that insanity get through review at merge time?