Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4670013pxy; Tue, 27 Apr 2021 09:59:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxvCen6PU3AxErnMpIbHDiQkpQhLEoM6or9AqH5F3b+dW0QE39sHlpezPJqeHRF0y4In48r X-Received: by 2002:a17:90a:4313:: with SMTP id q19mr6010821pjg.158.1619542775771; Tue, 27 Apr 2021 09:59:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619542775; cv=none; d=google.com; s=arc-20160816; b=R3XvCzhnAkAi9kpmYJwvRVcwhnBJssqZT/kC5W/jZOP//uEf6TWTvxWXZ+2Xs3YTW2 QDjWKPeE7vWxDBnQdTl8m+kqz1pkSlXsZTSIM2FZa5vaY7DDfl9r/AcGlhfPIiDKIv2M pKS9yTUnHKbma5bLnIr39M0wd0TVCSnq8pOpQ17mYGHMnx7cET8XIF5gC5QvA52pKgFj ByuZbX4ZNwvwPOCCJi5mAcGw4N0sg7JZB8gNk0uYwf+5gIl7D20rDUcym7Cg8JKqnstd HbkecVEwyFrAHmQPYMRoZaPMyp9kB1YDtoxJb9XVvuQoiDjhdXc1lafNeJd/a/6LMNDZ FRMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=YodxnVT9J4SJatIjCLhs6MT9asA9zbNt4fBI7dZ/88Q=; b=JDMzE+OqCvVPg4dH0LwdG6qPehS/yCLYwyzyS/9wUxA1lsCe5pK7pPabaL2eTSa7cG 90CLT6htmctPhrrBDgZyBvYpbA2khJ4XxClDDgZ4pvEr6PCSZm3dEpmSbIBwoB/7fssz TSw5K6h8qNAt2wR6/Xd+LgGElD25w/Pzz/irbv9/0xiCJ6/RDJ++fbDXWtwy8wxFInlt n7EtYD+UGbon3re+q5IcOnZ1E2LVic+A8II+nqIaFJZdcWQTG5K1fLlSe/us5g/agavk p1x7EIoWfXhYxoRpzd7FG/xJJ53tG0TDhYfizBVdFJYjb1dn6CcsxkzGHR6cftkrae1F Qz8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KIETlKK7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w12si3856014pjb.82.2021.04.27.09.59.23; Tue, 27 Apr 2021 09:59:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KIETlKK7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237893AbhD0Q72 (ORCPT + 99 others); Tue, 27 Apr 2021 12:59:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:44906 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237720AbhD0Q71 (ORCPT ); Tue, 27 Apr 2021 12:59:27 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BA6561165; Tue, 27 Apr 2021 16:58:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1619542723; bh=wERojalQ9dUWLbKBoiBa7cXRmoy3rgdT4eSYH2cRmew=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KIETlKK7KKOunXOjbqIpzyBvi8EU4ZAuTAlTLc9pJwDh29Q0TBzwoslu1BNB3LG4A EsJWhSxHGJP8aQrOZK3wDbKx6lbZeHBkGEzkS7S0csRsHXiSk1817nIdOk7j4Uz7ZG furEgWnId4H6BiyflxCW5pmiYw8YVj8nA3Je7dkM= Date: Tue, 27 Apr 2021 18:58:41 +0200 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Wenwen Wang , Mike Snitzer Subject: Re: [PATCH 181/190] Revert "dm ioctl: harden copy_params()'s copy_from_user() from malicious users" Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-182-gregkh@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210421130105.1226686-182-gregkh@linuxfoundation.org> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 21, 2021 at 03:00:56PM +0200, Greg Kroah-Hartman wrote: > This reverts commit 800a7340ab7dd667edf95e74d8e4f23a17e87076. > > Commits from @umn.edu addresses have been found to be submitted in "bad > faith" to try to test the kernel community's ability to review "known > malicious" changes. The result of these submissions can be found in a > paper published at the 42nd IEEE Symposium on Security and Privacy > entitled, "Open Source Insecurity: Stealthily Introducing > Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University > of Minnesota) and Kangjie Lu (University of Minnesota). > > Because of this, all submissions from this group must be reverted from > the kernel tree and will need to be re-reviewed again to determine if > they actually are a valid fix. Until that work is complete, remove this > change to ensure that no problems are being introduced into the > codebase. > > Cc: stable@vger.kernel.org > Cc: Wenwen Wang > Cc: Mike Snitzer > Signed-off-by: Greg Kroah-Hartman > --- > drivers/md/dm-ioctl.c | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) > > diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c > index 1ca65b434f1f..820342de92cd 100644 > --- a/drivers/md/dm-ioctl.c > +++ b/drivers/md/dm-ioctl.c > @@ -1747,7 +1747,8 @@ static void free_params(struct dm_ioctl *param, size_t param_size, int param_fla > } > > static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel, > - int ioctl_flags, struct dm_ioctl **param, int *param_flags) > + int ioctl_flags, > + struct dm_ioctl **param, int *param_flags) > { > struct dm_ioctl *dmi; > int secure_data; > @@ -1788,13 +1789,18 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern > > *param_flags |= DM_PARAMS_MALLOC; > > - /* Copy from param_kernel (which was already copied from user) */ > - memcpy(dmi, param_kernel, minimum_data_size); > - > - if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size, > - param_kernel->data_size - minimum_data_size)) > + if (copy_from_user(dmi, user, param_kernel->data_size)) > goto bad; > + > data_copied: > + /* > + * Abort if something changed the ioctl data while it was being copied. > + */ > + if (dmi->data_size != param_kernel->data_size) { > + DMERR("rejecting ioctl: data size modified while processing parameters"); > + goto bad; > + } > + > /* Wipe the user buffer so we do not return it to userspace */ > if (secure_data && clear_user(user, param_kernel->data_size)) > goto bad; > -- > 2.31.1 > Original looks correct, dropping this commit now. greg k-h