Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Greg KH <gregkh@linuxfoundation.org>]

On Fri, Jun 26, 2015 at 07:56:56AM +0200, Willy Tarreau wrote:
> On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote:
> > On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> > > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > > > Hi Greg,
> > > >
> > > > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> > > >
> > > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> > > >
> > > > Can you push it to 3.10-stable tree ???
> > > >
> > > > Best regards???
> > > >
> > > > On 2015/3/20 16:59, Zhang Zhen wrote:
> > > >> We need to check the position and size of file writes against various
> > > >> limits, using generic_write_check(). This was not being done for
> > > >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> > > >> ("->splice_write() via ->write_iter()") but we can't apply that.
> > > >>
> > > >> CVE-2014-7822
> > > >>
> > > >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> > > >> ---
> > > >>  fs/ocfs2/file.c | 8 +++++---
> > > >>  fs/splice.c     | 8 ++++++--
> > > >>  2 files changed, 11 insertions(+), 5 deletions(-)
> > > >>
> > > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> > > >> index 46387e4..e0b1c88 100644
> > > >> --- a/fs/ocfs2/file.c
> > > >> +++ b/fs/ocfs2/file.c
> > > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> > > >>       struct address_space *mapping = out->f_mapping;
> > > >>       struct inode *inode = mapping->host;
> > > >>       struct splice_desc sd = {
> > > >> -             .total_len = len,
> > > >>               .flags = flags,
> > > >> -             .pos = *ppos,
> > > >>               .u.file = out,
> > > >>       };
> > > >> -
> > > >> +     ret = generic_write_checks(out, ppos, &len, 0);
> > > >> +     if(ret)
> > > >> +             return ret;
> > > >> +     sd.total_len = len;
> > > >> +     sd.pos = *ppos;
> > > >>
> > > >>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> > > >>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
> > > >> diff --git a/fs/splice.c b/fs/splice.c
> > > >> index 4b5a5fa..f183f13 100644
> > > >> --- a/fs/splice.c
> > > >> +++ b/fs/splice.c
> > > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> > > >>       struct address_space *mapping = out->f_mapping;
> > > >>       struct inode *inode = mapping->host;
> > > >>       struct splice_desc sd = {
> > > >> -             .total_len = len,
> > > >>               .flags = flags,
> > > >> -             .pos = *ppos,
> > > >>               .u.file = out,
> > > >>       };
> > > >>       ssize_t ret;
> > > >>
> > > >> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> > > >> +     if (ret)
> > > >> +             return ret;
> > > >> +     sd.total_len = len;
> > > >> +     sd.pos = *ppos;
> > > >> +
> > > >>       pipe_lock(pipe);
> > > >>
> > > >>       splice_from_pipe_begin(&sd);
> > > >>
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe stable" in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > > 
> > > Hi.
> > > 
> > > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> > > is also needed for the 3.14 stable branch.
> > 
> > I don't understand, what commit id are you talking about?  What patch
> > should be applied to 3.14-stable?
> 
> I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 :
> 
>   commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa
>   Author: Ben Hutchings <ben@decadent.org.uk>
>   Date:   Thu Jan 29 02:50:33 2015 +0000
> 
>     splice: Apply generic position and size checks to each write
>     
>     commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
>     
>     We need to check the position and size of file writes against various
>     limits, using generic_write_check().  This was not being done for
>     the splice write path.  It was fixed upstream by commit 8d0207652cbe
>     ("->splice_write() via ->write_iter()") but we can't apply that.
>     
>     CVE-2014-7822
>     
>     Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>     [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
>     Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks, that makes sense, now applied.

greg k-h