Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp826044ybl; Wed, 11 Dec 2019 08:05:34 -0800 (PST) X-Google-Smtp-Source: APXvYqyYpjudKlLNKp77eLsQyuGujJGnGhKvUcDIR24KuuO4o1beYv6NXDbzbIziYu3kgtFoGcOu X-Received: by 2002:a9d:74c8:: with SMTP id a8mr2645297otl.57.1576080334665; Wed, 11 Dec 2019 08:05:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576080334; cv=none; d=google.com; s=arc-20160816; b=TxyEEa6Org5aAi45Tyczb/PbbRpQRKziNAVEzvTx5yxMHzkkXCeMEeXYSXKmVZ1WLY of+OuKE1T5ZFm1c2PKXnMUJg28R+Jf8jOX7/XQxNk4AbeaxBTUUuUfaxVnjqIi32b7yp tOEUpxx1kqtPhsXoyf6BU4blBggeLViDN6CNK2lnnEvBZp9TuzEOCEYQKRcHxkt4SsgX GBtyK6biT0ravbYSWkIqLc9XGQFXS5ZBkKAuaZ879l/PmneG3Rdn3RWyckNRh4TjfpTk kit7AkQ1FxtWGoYY/K/gRGVSeu/ama+5okK5iQEcmivM92UPXhGcecb7pn45/CUJTCjY 3E1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SRi3hWf36fXF0GcS3vR4ZgcBYRLgQMaCA4KNq4aO+zk=; b=rmXpHk6SHAxFKQrAsJB77hRfzCG0lQsK7EcENDbcUfzM9Lh2UUTnqE99xLTyEynVyd J/6AttqT46cGU7E0IWJH3hu/GcQBD43ZMEgh7hykzZCQ8IyQzKr5inIRrS7mmRyzCuNJ PtUM7MIOq7O96dbM/Z2qKesKcy3pfm7FX+zI8Sw19CLPoAzCW7ItH3TNBbfy2L5x5UoT J6epqMCBfVvSzqRQCuYOunQrFLuorf4Dpatt2odUjTxIs2Vyb9JPU8JNn6i2C2PcpPW2 OsTbtHnMFy+FmuFRYHKUOtXX5ph5aMzQ9g5pPzV/U/LrqWMeoJhUS48wciMajM00JD9R vZDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LAiDJCai; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d8si1270374otl.83.2019.12.11.08.05.17; Wed, 11 Dec 2019 08:05:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LAiDJCai; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732898AbfLKQCu (ORCPT + 99 others); Wed, 11 Dec 2019 11:02:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:36042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730908AbfLKPNH (ORCPT ); Wed, 11 Dec 2019 10:13:07 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6BAFB2467C; Wed, 11 Dec 2019 15:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077186; bh=5xNR6jI9+0OjgRnmsvUhBM684dKe2zQ9o5G22OtrEhE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LAiDJCai6UOxF7paoO3wRuWRRuqBkmbTNw/sgYTfsrjKd+Jmux5FghjDLMGwmuzEO ZZZgiJ/1P9ioBPIDj4iIJgFGIdph2WG0og0SInu9qqfxhknktOh7aqRRIe4s65xr1F jXGUZLRcZrbj/BuZq75u4ns50IKmtTWsRUOuy1CU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guillem Jover , Al Viro , Sasha Levin Subject: [PATCH 5.3 014/105] aio: Fix io_pgetevents() struct __compat_aio_sigset layout Date: Wed, 11 Dec 2019 16:05:03 +0100 Message-Id: <20191211150224.289343749@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.153659747@linuxfoundation.org> References: <20191211150221.153659747@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Guillem Jover [ Upstream commit 97eba80fcca754856d09e048f469db22773bec68 ] This type is used to pass the sigset_t from userland to the kernel, but it was using the kernel native pointer type for the member representing the compat userland pointer to the userland sigset_t. This messes up the layout, and makes the kernel eat up both the userland pointer and the size members into the kernel pointer, and then reads garbage into the kernel sigsetsize. Which makes the sigset_t size consistency check fail, and consequently the syscall always returns -EINVAL. This breaks both libaio and strace on 32-bit userland running on 64-bit kernels. And there are apparently no users in the wild of the current broken layout (at least according to codesearch.debian.org and a brief check over github.com search). So it looks safe to fix this directly in the kernel, instead of either letting userland deal with this permanently with the additional overhead or trying to make the syscall infer what layout userland used, even though this is also being worked around in libaio to temporarily cope with kernels that have not yet been fixed. We use a proper compat_uptr_t instead of a compat_sigset_t pointer. Fixes: 7a074e96dee6 ("aio: implement io_pgetevents") Signed-off-by: Guillem Jover Signed-off-by: Al Viro Signed-off-by: Sasha Levin --- fs/aio.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index 01e0fb9ae45ae..0d9a559d488c1 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -2179,7 +2179,7 @@ SYSCALL_DEFINE5(io_getevents_time32, __u32, ctx_id, #ifdef CONFIG_COMPAT struct __compat_aio_sigset { - compat_sigset_t __user *sigmask; + compat_uptr_t sigmask; compat_size_t sigsetsize; }; @@ -2193,7 +2193,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents, struct old_timespec32 __user *, timeout, const struct __compat_aio_sigset __user *, usig) { - struct __compat_aio_sigset ksig = { NULL, }; + struct __compat_aio_sigset ksig = { 0, }; struct timespec64 t; bool interrupted; int ret; @@ -2204,7 +2204,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents, if (usig && copy_from_user(&ksig, usig, sizeof(ksig))) return -EFAULT; - ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize); + ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize); if (ret) return ret; @@ -2228,7 +2228,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64, struct __kernel_timespec __user *, timeout, const struct __compat_aio_sigset __user *, usig) { - struct __compat_aio_sigset ksig = { NULL, }; + struct __compat_aio_sigset ksig = { 0, }; struct timespec64 t; bool interrupted; int ret; @@ -2239,7 +2239,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64, if (usig && copy_from_user(&ksig, usig, sizeof(ksig))) return -EFAULT; - ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize); + ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize); if (ret) return ret; -- 2.20.1