From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:54829 "EHLO 1wt.eu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751277AbbFZGGe (ORCPT <rfc822;stable@vger.kernel.org>);
	Fri, 26 Jun 2015 02:06:34 -0400
Date: Fri, 26 Jun 2015 07:56:56 +0200
From: Willy Tarreau <w@1wt.eu>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Vinson Lee <vlee@twopensource.com>,
	Zhang Zhen <zhenzhang.zhang@huawei.com>,
	stable@vger.kernel.org, ben@decadent.org.uk,
	viro@zeniv.linux.org.uk
Subject: Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write
Message-ID: <20150626055656.GA20292@1wt.eu>
References: <1426840866-66427-1-git-send-email-zhenzhang.zhang@huawei.com> <550BE17E.90203@huawei.com> <551A4BD8.70804@huawei.com> <CAHTgTXUXGTzW=QT2DfN1GP=eGm7JYEe_33z5-ZmtAiOF9_8AZA@mail.gmail.com> <20150626042201.GB32451@kroah.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150626042201.GB32451@kroah.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote:
> On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > > Hi Greg,
> > >
> > > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> > >
> > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> > >
> > > Can you push it to 3.10-stable tree ???
> > >
> > > Best regards???
> > >
> > > On 2015/3/20 16:59, Zhang Zhen wrote:
> > >> We need to check the position and size of file writes against various
> > >> limits, using generic_write_check(). This was not being done for
> > >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> > >> ("->splice_write() via ->write_iter()") but we can't apply that.
> > >>
> > >> CVE-2014-7822
> > >>
> > >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> > >> ---
> > >>  fs/ocfs2/file.c | 8 +++++---
> > >>  fs/splice.c     | 8 ++++++--
> > >>  2 files changed, 11 insertions(+), 5 deletions(-)
> > >>
> > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> > >> index 46387e4..e0b1c88 100644
> > >> --- a/fs/ocfs2/file.c
> > >> +++ b/fs/ocfs2/file.c
> > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> > >>       struct address_space *mapping = out->f_mapping;
> > >>       struct inode *inode = mapping->host;
> > >>       struct splice_desc sd = {
> > >> -             .total_len = len,
> > >>               .flags = flags,
> > >> -             .pos = *ppos,
> > >>               .u.file = out,
> > >>       };
> > >> -
> > >> +     ret = generic_write_checks(out, ppos, &len, 0);
> > >> +     if(ret)
> > >> +             return ret;
> > >> +     sd.total_len = len;
> > >> +     sd.pos = *ppos;
> > >>
> > >>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> > >>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
> > >> diff --git a/fs/splice.c b/fs/splice.c
> > >> index 4b5a5fa..f183f13 100644
> > >> --- a/fs/splice.c
> > >> +++ b/fs/splice.c
> > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> > >>       struct address_space *mapping = out->f_mapping;
> > >>       struct inode *inode = mapping->host;
> > >>       struct splice_desc sd = {
> > >> -             .total_len = len,
> > >>               .flags = flags,
> > >> -             .pos = *ppos,
> > >>               .u.file = out,
> > >>       };
> > >>       ssize_t ret;
> > >>
> > >> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> > >> +     if (ret)
> > >> +             return ret;
> > >> +     sd.total_len = len;
> > >> +     sd.pos = *ppos;
> > >> +
> > >>       pipe_lock(pipe);
> > >>
> > >>       splice_from_pipe_begin(&sd);
> > >>
> > >
> > >
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe stable" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> > 
> > Hi.
> > 
> > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> > is also needed for the 3.14 stable branch.
> 
> I don't understand, what commit id are you talking about?  What patch
> should be applied to 3.14-stable?

I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 :

  commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa
  Author: Ben Hutchings <ben@decadent.org.uk>
  Date:   Thu Jan 29 02:50:33 2015 +0000

    splice: Apply generic position and size checks to each write
    
    commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
    
    We need to check the position and size of file writes against various
    limits, using generic_write_check().  This was not being done for
    the splice write path.  It was fixed upstream by commit 8d0207652cbe
    ("->splice_write() via ->write_iter()") but we can't apply that.
    
    CVE-2014-7822
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
    Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Willy