Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4864486imu; Tue, 25 Dec 2018 11:01:36 -0800 (PST) X-Google-Smtp-Source: ALg8bN6CRrH8ifdh69JuQZjFGxxJKS/GnspEiO5HLrVGiJ5dpEx3jt4McC6MYxwBAu6Gfnd+HJ/K X-Received: by 2002:a65:434d:: with SMTP id k13mr16557630pgq.269.1545764496569; Tue, 25 Dec 2018 11:01:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545764496; cv=none; d=google.com; s=arc-20160816; b=XWxBMolwlaqce/x6pKCRESJ197KnXZUqoqUoY2GhnSoj4w0Dlnv/Ztr+VlRK8/1lDz lg9/AdH8n5yOA+CpwCSx6J1yxg4xnUuqgo1WOOZUvC2K38fvOpAcC+tJq2dG7mjqa4BE iVR1QOuwAYQ+SfLdCuHIIGKzNAkhzQaooMlo/6wPG/wu5XdrR4BEzy6TWmIEcxB19bsI exWTFfrZ/XUx9BWSAf4iNFXdFrkDXHEGEVErjtb4UBCBrK8yOuVULMyp9MQctVVLP1lc iiUm1FIu1CQ/RJz+k8EJj7S4gLRjq2skbAKJAX0XikHZQVoT/XqkA25ZYXyJyHfbPhWb rqCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=XPnXcy7TnL4VBmeDBsDoZgntLGyaaI3u7ypY1sutQ68=; b=oWf6YUOkQBXMVZa3OObiI0kChclVOn4ZdxA9345SdqaBXHrxaCCoyRyx79fWDRnJNc w1W2brS3CaJvGGugUMOyOYDLEOC7FXgvj5FwUmP+9S7kY6vp5kRfqF1TTeT7AxTJJI8W ZevIMdfC02+LJnBUkjcUA2rH/8rLNuBnI0Do/60mfRmnbcj8pJz3ZX/9wzq7t71RvfNa 2p8PfXfkGOGF+M7cRWv9dwBuQvumPJlhYgDoeG1LAnx1dfFjrjdjZ3JxM/igpRL3XI4q 5swzQmehL/iocJ4XhwgH6A6MT4sHQq5NxZlrv7l/xsMLcMw/HKM0c8k016IXoMg+XYqd 4UZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=WuIwWSLs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m7si37158590pfc.118.2018.12.25.11.00.55; Tue, 25 Dec 2018 11:01:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=WuIwWSLs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725863AbeLYS6t (ORCPT + 99 others); Tue, 25 Dec 2018 13:58:49 -0500 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:53422 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725839AbeLYS6t (ORCPT ); Tue, 25 Dec 2018 13:58:49 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 0614CB23 for ; Tue, 25 Dec 2018 18:58:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkYyWi40A1aA for ; Tue, 25 Dec 2018 12:58:47 -0600 (CST) Received: from mail-it1-f198.google.com (mail-it1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id CA24D6A1 for ; Tue, 25 Dec 2018 12:58:47 -0600 (CST) Received: by mail-it1-f198.google.com with SMTP id n124so16721695itb.7 for ; Tue, 25 Dec 2018 10:58:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=XPnXcy7TnL4VBmeDBsDoZgntLGyaaI3u7ypY1sutQ68=; b=WuIwWSLs87VliaLSGUJaxX+M4VIP2iidK2aA7cOB20/SoCKAnO8eezxEluzPWVajYX SrGac/KyCqgwYtaZNiH4DnCza7tI5yjGIxPz6dDpKyuzlqWEo3LVHdPv0WwhNDe7EUNt bVTl4Ev+TU/RPGmIbAwNe3j0GvtaiLYGNgk9K0xahRWCqljMnF3D5xjRI6suzsBhtYIz xGDKtu24OcjLCvPKhVuwsLfAqAlzi6IFk7Jni7Z3N9kw9owfa/17EOw/TJelPdZq86BO fdY/gkMh0OUm2f5YUqOVdu5qyYT+HAh6+gzLL509hQoM+2dAgJHHMmvb39GxGELFjEIZ ujEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=XPnXcy7TnL4VBmeDBsDoZgntLGyaaI3u7ypY1sutQ68=; b=HPtlYYDqaGTWjKJu8+Hu7m7BKPNIsHKSke2njMISTwlyDEWyZXQsRAOXNIocQuupVM ia8u3AUjf8IBLYmoO42XY3rehEUuSHYU+M7P0+quv/D63iwKdwJA0FWz+1m+K1c5sLni qv+QB04Chiafad4dyODR2qNDd3epyQl/viK8Ux8TyBA9+u/q88WQwrXqzgCFSIdvTZDs My/Jmo+v01j+GaeyDdRZNdXpgKfQfPS8SXP5XkZYipG7yG7w7f2eDRpC0I1zKj0ST4/U DRIA+cWZEbHBHvG0nBqFJCEZVSMGE1GKJIHFV3nmt7C2FPolsKwfODgMvxmzgcNJaYPr oaKg== X-Gm-Message-State: AA+aEWaBWHEY1i5tOcOF1BN+uWpuXf1wk37PmzHxk+nZP9yYF4APO7kn DTRJXhJLPHsadGLgVb75LH8TocCOvsVyWDSCEQ+gxlbb3m80eVMqiHiUMx5CWHm7D1nfYWRsYzS fkFYGZXr6CUD+GdqpbaqfRg1k6D/4 X-Received: by 2002:a02:6:: with SMTP id 6mr10699221jaa.19.1545764327327; Tue, 25 Dec 2018 10:58:47 -0800 (PST) X-Received: by 2002:a02:6:: with SMTP id 6mr10699214jaa.19.1545764327011; Tue, 25 Dec 2018 10:58:47 -0800 (PST) Received: from localhost.localdomain (host-173-230-104-22.mnmigsc.mn.minneapolis.us.clients.pavlovmedia.net. [173.230.104.22]) by smtp.gmail.com with ESMTPSA id t69sm5436104itb.26.2018.12.25.10.58.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Dec 2018 10:58:45 -0800 (PST) From: Kangjie Lu To: kjlu@umn.edu Cc: pakki001@umn.edu, Jan Harkes , coda@cs.cmu.edu, codalist@coda.cs.cmu.edu, linux-kernel@vger.kernel.org Subject: [PATCH] fs: coda: fix a double-fetch case in coda_psdev_write Date: Tue, 25 Dec 2018 12:58:14 -0600 Message-Id: <20181225185814.69047-1-kjlu@umn.edu> X-Mailer: git-send-email 2.17.2 (Apple Git-113) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "hdr" has been copied in from user space and "hdr.opcode" is checked. The code copies it again. User space data between the two copies is subject to modification if the user-space code is multithreaded and malicious. The modification may invalidate the check. In the original code, "hdr.opcode" is not used after the second copy, so it is actually safe with the current code. However, in case future code may use "hdr.opcode", let's avoid copying the header from user space again. Signed-off-by: Kangjie Lu --- fs/coda/psdev.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c index c5234c21b539..fb4d1c654773 100644 --- a/fs/coda/psdev.c +++ b/fs/coda/psdev.c @@ -97,35 +97,38 @@ static long coda_psdev_ioctl(struct file * filp, unsigned int cmd, unsigned long static ssize_t coda_psdev_write(struct file *file, const char __user *buf, size_t nbytes, loff_t *off) { - struct venus_comm *vcp = (struct venus_comm *) file->private_data; - struct upc_req *req = NULL; - struct upc_req *tmp; + struct venus_comm *vcp = (struct venus_comm *) file->private_data; + struct upc_req *req = NULL; + struct upc_req *tmp; struct list_head *lh; struct coda_in_hdr hdr; ssize_t retval = 0, count = 0; int error; - /* Peek at the opcode, uniquefier */ + /* Peek at the opcode, uniquefier */ if (copy_from_user(&hdr, buf, 2 * sizeof(u_long))) - return -EFAULT; + return -EFAULT; - if (DOWNCALL(hdr.opcode)) { + if (DOWNCALL(hdr.opcode)) { union outputArgs *dcbuf; int size = sizeof(*dcbuf); if ( nbytes < sizeof(struct coda_out_hdr) ) { pr_warn("coda_downcall opc %d uniq %d, not enough!\n", - hdr.opcode, hdr.unique); + hdr.opcode, hdr.unique); count = nbytes; goto out; } if ( nbytes > size ) { pr_warn("downcall opc %d, uniq %d, too much!", - hdr.opcode, hdr.unique); - nbytes = size; + hdr.opcode, hdr.unique); + nbytes = size; } CODA_ALLOC(dcbuf, union outputArgs *, nbytes); - if (copy_from_user(dcbuf, buf, nbytes)) { + *((struct coda_in_hdr *)dcbuf) = hdr; + if (copy_from_user(dcbuf + sizeof(hdr), + buf + sizeof(hdr), + nbytes - sizeof(hdr))) { CODA_FREE(dcbuf, nbytes); retval = -EFAULT; goto out; @@ -137,14 +140,14 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, CODA_FREE(dcbuf, nbytes); if (error) { pr_warn("%s: coda_downcall error: %d\n", - __func__, error); + __func__, error); retval = error; goto out; } count = nbytes; goto out; } - + /* Look for the message on the processing queue. */ mutex_lock(&vcp->vc_mutex); list_for_each(lh, &vcp->vc_processing) { @@ -159,19 +162,19 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, if (!req) { pr_warn("%s: msg (%d, %d) not found\n", - __func__, hdr.opcode, hdr.unique); + __func__, hdr.opcode, hdr.unique); retval = -ESRCH; goto out; } - /* move data into response buffer. */ + /* move data into response buffer. */ if (req->uc_outSize < nbytes) { pr_warn("%s: too much cnt: %d, cnt: %ld, opc: %d, uniq: %d.\n", - __func__, req->uc_outSize, (long)nbytes, - hdr.opcode, hdr.unique); + __func__, req->uc_outSize, (long)nbytes, + hdr.opcode, hdr.unique); nbytes = req->uc_outSize; /* don't have more space! */ } - if (copy_from_user(req->uc_data, buf, nbytes)) { + if (copy_from_user(req->uc_data, buf, nbytes)) { req->uc_flags |= CODA_REQ_ABORT; wake_up(&req->uc_sleep); retval = -EFAULT; @@ -191,9 +194,9 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, outp->fh = fget(outp->fd); } - wake_up(&req->uc_sleep); + wake_up(&req->uc_sleep); out: - return(count ? count : retval); + return(count ? count : retval); } /* -- 2.17.2 (Apple Git-113)