Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4670013pxy;
        Tue, 27 Apr 2021 09:59:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxvCen6PU3AxErnMpIbHDiQkpQhLEoM6or9AqH5F3b+dW0QE39sHlpezPJqeHRF0y4In48r
X-Received: by 2002:a17:90a:4313:: with SMTP id q19mr6010821pjg.158.1619542775771;
        Tue, 27 Apr 2021 09:59:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619542775; cv=none;
        d=google.com; s=arc-20160816;
        b=R3XvCzhnAkAi9kpmYJwvRVcwhnBJssqZT/kC5W/jZOP//uEf6TWTvxWXZ+2Xs3YTW2
         QDjWKPeE7vWxDBnQdTl8m+kqz1pkSlXsZTSIM2FZa5vaY7DDfl9r/AcGlhfPIiDKIv2M
         pKS9yTUnHKbma5bLnIr39M0wd0TVCSnq8pOpQ17mYGHMnx7cET8XIF5gC5QvA52pKgFj
         ByuZbX4ZNwvwPOCCJi5mAcGw4N0sg7JZB8gNk0uYwf+5gIl7D20rDUcym7Cg8JKqnstd
         HbkecVEwyFrAHmQPYMRoZaPMyp9kB1YDtoxJb9XVvuQoiDjhdXc1lafNeJd/a/6LMNDZ
         FRMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=YodxnVT9J4SJatIjCLhs6MT9asA9zbNt4fBI7dZ/88Q=;
        b=JDMzE+OqCvVPg4dH0LwdG6qPehS/yCLYwyzyS/9wUxA1lsCe5pK7pPabaL2eTSa7cG
         90CLT6htmctPhrrBDgZyBvYpbA2khJ4XxClDDgZ4pvEr6PCSZm3dEpmSbIBwoB/7fssz
         TSw5K6h8qNAt2wR6/Xd+LgGElD25w/Pzz/irbv9/0xiCJ6/RDJ++fbDXWtwy8wxFInlt
         n7EtYD+UGbon3re+q5IcOnZ1E2LVic+A8II+nqIaFJZdcWQTG5K1fLlSe/us5g/agavk
         p1x7EIoWfXhYxoRpzd7FG/xJJ53tG0TDhYfizBVdFJYjb1dn6CcsxkzGHR6cftkrae1F
         Qz8Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KIETlKK7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w12si3856014pjb.82.2021.04.27.09.59.23;
        Tue, 27 Apr 2021 09:59:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KIETlKK7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237893AbhD0Q72 (ORCPT <rfc822;liu.song.a23@gmail.com>
        + 99 others); Tue, 27 Apr 2021 12:59:28 -0400
Received: from mail.kernel.org ([198.145.29.99]:44906 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237720AbhD0Q71 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Apr 2021 12:59:27 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BA6561165;
        Tue, 27 Apr 2021 16:58:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1619542723;
        bh=wERojalQ9dUWLbKBoiBa7cXRmoy3rgdT4eSYH2cRmew=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=KIETlKK7KKOunXOjbqIpzyBvi8EU4ZAuTAlTLc9pJwDh29Q0TBzwoslu1BNB3LG4A
         EsJWhSxHGJP8aQrOZK3wDbKx6lbZeHBkGEzkS7S0csRsHXiSk1817nIdOk7j4Uz7ZG
         furEgWnId4H6BiyflxCW5pmiYw8YVj8nA3Je7dkM=
Date:   Tue, 27 Apr 2021 18:58:41 +0200
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     stable@vger.kernel.org, Wenwen Wang <wang6495@umn.edu>,
        Mike Snitzer <snitzer@redhat.com>
Subject: Re: [PATCH 181/190] Revert "dm ioctl: harden copy_params()'s
 copy_from_user() from malicious users"
Message-ID: <YIhCwe+FVtgm0LlD@kroah.com>
References: <20210421130105.1226686-1-gregkh@linuxfoundation.org>
 <20210421130105.1226686-182-gregkh@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210421130105.1226686-182-gregkh@linuxfoundation.org>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 21, 2021 at 03:00:56PM +0200, Greg Kroah-Hartman wrote:
> This reverts commit 800a7340ab7dd667edf95e74d8e4f23a17e87076.
> 
> Commits from @umn.edu addresses have been found to be submitted in "bad
> faith" to try to test the kernel community's ability to review "known
> malicious" changes.  The result of these submissions can be found in a
> paper published at the 42nd IEEE Symposium on Security and Privacy
> entitled, "Open Source Insecurity: Stealthily Introducing
> Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> of Minnesota) and Kangjie Lu (University of Minnesota).
> 
> Because of this, all submissions from this group must be reverted from
> the kernel tree and will need to be re-reviewed again to determine if
> they actually are a valid fix.  Until that work is complete, remove this
> change to ensure that no problems are being introduced into the
> codebase.
> 
> Cc: stable@vger.kernel.org
> Cc: Wenwen Wang <wang6495@umn.edu>
> Cc: Mike Snitzer <snitzer@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/md/dm-ioctl.c | 18 ++++++++++++------
>  1 file changed, 12 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
> index 1ca65b434f1f..820342de92cd 100644
> --- a/drivers/md/dm-ioctl.c
> +++ b/drivers/md/dm-ioctl.c
> @@ -1747,7 +1747,8 @@ static void free_params(struct dm_ioctl *param, size_t param_size, int param_fla
>  }
>  
>  static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
> -		       int ioctl_flags, struct dm_ioctl **param, int *param_flags)
> +		       int ioctl_flags,
> +		       struct dm_ioctl **param, int *param_flags)
>  {
>  	struct dm_ioctl *dmi;
>  	int secure_data;
> @@ -1788,13 +1789,18 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
>  
>  	*param_flags |= DM_PARAMS_MALLOC;
>  
> -	/* Copy from param_kernel (which was already copied from user) */
> -	memcpy(dmi, param_kernel, minimum_data_size);
> -
> -	if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
> -			   param_kernel->data_size - minimum_data_size))
> +	if (copy_from_user(dmi, user, param_kernel->data_size))
>  		goto bad;
> +
>  data_copied:
> +	/*
> +	 * Abort if something changed the ioctl data while it was being copied.
> +	 */
> +	if (dmi->data_size != param_kernel->data_size) {
> +		DMERR("rejecting ioctl: data size modified while processing parameters");
> +		goto bad;
> +	}
> +
>  	/* Wipe the user buffer so we do not return it to userspace */
>  	if (secure_data && clear_user(user, param_kernel->data_size))
>  		goto bad;
> -- 
> 2.31.1
> 

Original looks correct, dropping this commit now.

greg k-h