Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1025629imm;
        Fri, 15 Jun 2018 09:58:57 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKMr68FPyrVZCvzJDUVQ6GBQzl0O15T/WPurqb+wSmX6LXodJ/O7o4QsaE8L/TIfnnFZdsV
X-Received: by 2002:a17:902:14b:: with SMTP id 69-v6mr2949937plb.184.1529081937705;
        Fri, 15 Jun 2018 09:58:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529081937; cv=none;
        d=google.com; s=arc-20160816;
        b=I5gBpbyUhr/VSVAQrYAQ7W2wFfqXqkHxgit7TdX7WLoWiaT/1TgHKNv79nbDs4Aicu
         l1Lilgor14qAlYq/1FnbYBLAbl2cM7+Q3VuaN2iaIFyDt7XbvzZG6vNFHEa8R514d+NP
         vPX5ADsqfJ+2GBZ4HKPq/U+W5BXBaPQO/PVCQ00dgSWiFtyRuoyr5YDG1V/43fD+0muY
         uzIXtq0puHDnCsLpr7BAfp4LAbCmPEJyVCZWDYVG8yFJOfXJ8wk7TJ8DkT3L7GQlyqMR
         UhTy4EnOE6TBEbcIPcTIYPlke818cWI4PUuaGzJBlKkxm9op6K8/YmwX4rAJsuaHJ1Ts
         kkng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=bmsVLiVIIp4+5TD+qD7SiY+piAjmxRyd4E0p+EzmzmM=;
        b=wJIrwZVuKwMHqT1zLreroBKdMK+9CtrAxY3+quuXzeOfCJWkNRB5k5OCQSZgltAbTV
         KWs1X9OROIyJcDM/D1/plrjcgaxmDwp63cEmGpZfaKt6zRcMyamF9V15EGAAbu2voIdb
         SvlqlhkczUk9YEeeyTax3n1e/eLcbD0ddjBclB1IWkPO4rSPSk1srRfSpP6x0lRMug+N
         tkSo3mZ3iWiI9rogFC0h6a+RXR+q05PdSUwjFJR9NenraKgX71mFOEJleE4gTT2e9Fb/
         A6shiDZM4K/2nBaq9oDIACxlEd9hwmsyt8cYsK+ThWutVvDAZHbzmRtAzg2em7Gl3ZN2
         DWDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QBB3CABK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w5-v6si7996780plz.438.2018.06.15.09.58.42;
        Fri, 15 Jun 2018 09:58:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QBB3CABK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756230AbeFOQ6P (ORCPT <rfc822;chrisloverchio@gmail.com>
        + 99 others); Fri, 15 Jun 2018 12:58:15 -0400
Received: from mail-ot0-f196.google.com ([74.125.82.196]:39564 "EHLO
        mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754672AbeFOQ6N (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 15 Jun 2018 12:58:13 -0400
Received: by mail-ot0-f196.google.com with SMTP id l15-v6so11715317oth.6
        for <linux-kernel@vger.kernel.org>; Fri, 15 Jun 2018 09:58:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=bmsVLiVIIp4+5TD+qD7SiY+piAjmxRyd4E0p+EzmzmM=;
        b=QBB3CABKqqQpJcQN7ztjzkrzn8LOdSzIuIABj2BTWbkERf1/69UXTkrzaAdeCfjjK5
         lHCeRoGXJBwhrPDQvosEADliBHRb2cMohVezhaBaLr2MXXyUIMCSZ0tibv2SBxFOyOej
         gxdLrVCxwJw7IA1zMS3gJAQIxcrMH+zqGCnarvB+9/xIqFfxOQ1leJIqVTJcXJH1/0e0
         2ESI3uG3zVuDqcXYxiQCXockVQhC51ErhSPjvhZPL2195s+XEYbeca+cDwqLxxmF782F
         gofYtXhWFruoR0v6BPWObw/VMWpVoGqV5Sj8i60KLF0RP+aKBrZjGIqO4WIcmMrhkPhx
         JZpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=bmsVLiVIIp4+5TD+qD7SiY+piAjmxRyd4E0p+EzmzmM=;
        b=awkG+HAiMYzHFvRvkw0pj74yVCt34lkoIJxWkfgUN4dlWUvwWxhB6Drj/6FSA2jpfc
         jPUD7D8f2lpN2EJoLpWRWKqlg76usCJoCxzTmgrD68OSROqkv8ToCyAG2uRp9uxeYwZ4
         C7CnYZKPV4Se2mBB4lr3jdkdTz/m8nHk7KqWGgpW9PUuZMqbaLON9Ng+MR/qrv3yXYPK
         3aG2Ps7WYyTlIbWwF4G+tlKQlw5y/ym2aZWAttT8vv6oMXxUjcuoZHA4NU2Ijk9vjur5
         yztnEc8tLqvF9YqtFuN8qRXQrxT/CPCPVKqvKdUy4Y/wDwm+ongf/30VOjj2XUNMeZPx
         /E+Q==
X-Gm-Message-State: APt69E1TaMDaSw00bcYOxlnvn/7skWmRSQGtGApDyg28O5Mmp5rQp9lO
        /if9EfjItmp+a/vBt99lO6oE2EvtTuS0RLjf70Qkfg==
X-Received: by 2002:a9d:59c8:: with SMTP id u8-v6mr1589333otg.216.1529081892817;
 Fri, 15 Jun 2018 09:58:12 -0700 (PDT)
MIME-Version: 1.0
References: <20180615152335.208202-1-jannh@google.com> <20180615164930.GE30522@ZenIV.linux.org.uk>
In-Reply-To: <20180615164930.GE30522@ZenIV.linux.org.uk>
From:   Jann Horn <jannh@google.com>
Date:   Fri, 15 Jun 2018 18:58:01 +0200
Message-ID: <CAG48ez0x+d78yUc3FxHcQOtJRCF1j3Af+iR=UojnDrqqYzzTcg@mail.gmail.com>
Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release
To:     Al Viro <viro@zeniv.linux.org.uk>
Cc:     axboe@kernel.dk, fujita.tomonori@lab.ntt.co.jp,
        dgilbert@interlog.com, jejb@linux.vnet.ibm.com,
        martin.petersen@oracle.com, linux-block@vger.kernel.org,
        linux-scsi@vger.kernel.org,
        kernel list <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        security@kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 15, 2018 at 6:49 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Fri, Jun 15, 2018 at 05:23:35PM +0200, Jann Horn wrote:
> > As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit
> > to be called under KERNEL_DS"), sg and bsg improperly access userspace
> > memory outside the provided buffer, permitting kernel memory corruption via
> > splice().
> > But they don't just do it on ->write(), also on ->read() and (in the case
> > of bsg) even on ->release().
> >
> > As a band-aid, make sure that the ->read() and ->write() handlers can not
> > be called in weird contexts (kernel context or credentials different from
> > file opener), like for ib_safe_file_access().
> > Also, completely prevent user memory accesses from ->release().
>
> Band-aid it is, and a bloody awful one, at that.  What the hell is going on
> in bsg_put_device() and can it _ever_ hit that call chain?  I.e.
>         bsg_release()
>                 bsg_put_device()
>                         blk_complete_sgv4_hdr_rq()
>                                 ->complete_rq()
>                                         copy_to_user()
> If it can, the whole thing is FUBAR by design - ->release() may bloody well
> be called in a context that has no userspace at all.
>
> This is completely insane; what's going on there?

Perhaps I should have split my patch into two parts; it consists of
two somewhat related changes.

The first change is that ->read() and ->write() violate the normal
contract and, as a band-aid, should not be called in uaccess_kernel()
context or with changed creds.

The second change is an actual fix: AFAICS ->release() accidentally
accessed userspace, which I've fixed using the added "cleaning_up"
parameter.