From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonathan Corbet Date: Wed, 30 Jul 2014 09:57:09 -0400 Subject: [Cluster-devel] [RFC PATCH 5/5] gfs2: Add xreaddir file operation and supporting functions In-Reply-To: <584806381.15003446.1406672757956.JavaMail.zimbra@redhat.com> References: <1406309888-10749-1-git-send-email-adas@redhat.com> <1406309888-10749-6-git-send-email-adas@redhat.com> <20140729145808.79bec165@lwn.net> <584806381.15003446.1406672757956.JavaMail.zimbra@redhat.com> Message-ID: <20140730095709.62bade17@lwn.net> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 29 Jul 2014 18:25:57 -0400 (EDT) Abhijith Das wrote: > > > + if ((xc->xc_xattr_mask & XSTAT_XATTR_ALL) && > > > + lxd->xd_blob.xb_xattr_count) { > > > > How can that be right? lxd is __user, it doesn't seem right to be > > dereferencing it directly...? > > Wouldn't the call to access_ok() at the start of the syscall take care of this? All the > __user pointers point to areas within the user supplied buffer buf and overflow past the > end of the buffer for the last lxd is checked for. No, dereferencing user-space pointers in the kernel is never OK. What if user space remapped that page after the access_ok() call? You need to use copy_*_user() to get at user-space structures from the kernel. jon From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonathan Corbet Subject: Re: [RFC PATCH 5/5] gfs2: Add xreaddir file operation and supporting functions Date: Wed, 30 Jul 2014 09:57:09 -0400 Message-ID: <20140730095709.62bade17@lwn.net> References: <1406309888-10749-1-git-send-email-adas@redhat.com> <1406309888-10749-6-git-send-email-adas@redhat.com> <20140729145808.79bec165@lwn.net> <584806381.15003446.1406672757956.JavaMail.zimbra@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, cluster-devel@redhat.com To: Abhijith Das Return-path: In-Reply-To: <584806381.15003446.1406672757956.JavaMail.zimbra@redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Tue, 29 Jul 2014 18:25:57 -0400 (EDT) Abhijith Das wrote: > > > + if ((xc->xc_xattr_mask & XSTAT_XATTR_ALL) && > > > + lxd->xd_blob.xb_xattr_count) { > > > > How can that be right? lxd is __user, it doesn't seem right to be > > dereferencing it directly...? > > Wouldn't the call to access_ok() at the start of the syscall take care of this? All the > __user pointers point to areas within the user supplied buffer buf and overflow past the > end of the buffer for the last lxd is checked for. No, dereferencing user-space pointers in the kernel is never OK. What if user space remapped that page after the access_ok() call? You need to use copy_*_user() to get at user-space structures from the kernel. jon