From: Willy Tarreau <w@1wt.eu>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Vinson Lee <vlee@twopensource.com>,
Zhang Zhen <zhenzhang.zhang@huawei.com>,
stable@vger.kernel.org, ben@decadent.org.uk,
viro@zeniv.linux.org.uk
Subject: Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write
Date: Fri, 26 Jun 2015 07:56:56 +0200 [thread overview]
Message-ID: <20150626055656.GA20292@1wt.eu> (raw)
In-Reply-To: <20150626042201.GB32451@kroah.com>
On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote:
> On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > > Hi Greg,
> > >
> > > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> > >
> > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> > >
> > > Can you push it to 3.10-stable tree ???
> > >
> > > Best regards???
> > >
> > > On 2015/3/20 16:59, Zhang Zhen wrote:
> > >> We need to check the position and size of file writes against various
> > >> limits, using generic_write_check(). This was not being done for
> > >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> > >> ("->splice_write() via ->write_iter()") but we can't apply that.
> > >>
> > >> CVE-2014-7822
> > >>
> > >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> > >> ---
> > >> fs/ocfs2/file.c | 8 +++++---
> > >> fs/splice.c | 8 ++++++--
> > >> 2 files changed, 11 insertions(+), 5 deletions(-)
> > >>
> > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> > >> index 46387e4..e0b1c88 100644
> > >> --- a/fs/ocfs2/file.c
> > >> +++ b/fs/ocfs2/file.c
> > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> > >> struct address_space *mapping = out->f_mapping;
> > >> struct inode *inode = mapping->host;
> > >> struct splice_desc sd = {
> > >> - .total_len = len,
> > >> .flags = flags,
> > >> - .pos = *ppos,
> > >> .u.file = out,
> > >> };
> > >> -
> > >> + ret = generic_write_checks(out, ppos, &len, 0);
> > >> + if(ret)
> > >> + return ret;
> > >> + sd.total_len = len;
> > >> + sd.pos = *ppos;
> > >>
> > >> trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> > >> (unsigned long long)OCFS2_I(inode)->ip_blkno,
> > >> diff --git a/fs/splice.c b/fs/splice.c
> > >> index 4b5a5fa..f183f13 100644
> > >> --- a/fs/splice.c
> > >> +++ b/fs/splice.c
> > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> > >> struct address_space *mapping = out->f_mapping;
> > >> struct inode *inode = mapping->host;
> > >> struct splice_desc sd = {
> > >> - .total_len = len,
> > >> .flags = flags,
> > >> - .pos = *ppos,
> > >> .u.file = out,
> > >> };
> > >> ssize_t ret;
> > >>
> > >> + ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> > >> + if (ret)
> > >> + return ret;
> > >> + sd.total_len = len;
> > >> + sd.pos = *ppos;
> > >> +
> > >> pipe_lock(pipe);
> > >>
> > >> splice_from_pipe_begin(&sd);
> > >>
> > >
> > >
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe stable" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
> >
> > Hi.
> >
> > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> > is also needed for the 3.14 stable branch.
>
> I don't understand, what commit id are you talking about? What patch
> should be applied to 3.14-stable?
I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 :
commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Thu Jan 29 02:50:33 2015 +0000
splice: Apply generic position and size checks to each write
commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
We need to check the position and size of file writes against various
limits, using generic_write_check(). This was not being done for
the splice write path. It was fixed upstream by commit 8d0207652cbe
("->splice_write() via ->write_iter()") but we can't apply that.
CVE-2014-7822
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Willy
next prev parent reply other threads:[~2015-06-26 6:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1426840866-66427-1-git-send-email-zhenzhang.zhang@huawei.com>
[not found] ` <550BE17E.90203@huawei.com>
[not found] ` <551A4BD8.70804@huawei.com>
2015-06-03 21:31 ` [PATCH v3.10-stable] splice: Apply generic position and size checks to each write Vinson Lee
2015-06-26 4:22 ` Greg KH
2015-06-26 5:56 ` Willy Tarreau [this message]
2015-06-30 0:42 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150626055656.GA20292@1wt.eu \
--to=w@1wt.eu \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=vlee@twopensource.com \
--cc=zhenzhang.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.