From: Jens Axboe <axboe@kernel.dk>
To: Richard Weinberger <richard@nod.at>
Cc: wolfgang.glas@iteg.at, christoph.lechleitner@iteg.at,
philipp.reisner@linbit.com, stable@vger.kernel.org,
linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
drbd-dev@lists.linbit.com
Subject: Re: [Drbd-dev] [PATCH] drbd: Fix kernel_sendmsg() usage
Date: Tue, 8 Nov 2016 09:52:04 -0700 [thread overview]
Message-ID: <20161108165204.GC2834@kernel.dk> (raw)
In-Reply-To: <497abc52-093f-17ea-5fb5-645030a23a01@nod.at>
On Tue, Nov 08 2016, Richard Weinberger wrote:
> On 08.11.2016 14:43, Lars Ellenberg wrote:
> > From 3a5859e696178e31a25e65de58c461046fc52beb Mon Sep 17 00:00:00 2001
> > From: Richard Weinberger <richard@nod.at>
> > Date: Tue, 8 Nov 2016 11:43:09 +0100
> > Subject: [PATCH] drbd: Fix kernel_sendmsg() usage - potential NULL deref
> > drbd: Fix kernel_sendmsg() usage - potential NULL deref
> >
> > Don't pass a size larger than iov_len to kernel_sendmsg().
> > Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
> > returns with rv < size.
> >
> > DRBD as external module has been around in the kernel 2.4 days already.
> > We used to be compatible to 2.4 and very early 2.6 kernels,
> > we used to use
> > rv = sock_sendmsg(sock, &msg, iov.iov_len);
> > then later changed to
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
> > when we should have used
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);
> >
> > tcp_sendmsg() used to totally ignore the size parameter.
> > 57be5bd ip: convert tcp_sendmsg() to iov_iter primitives
> > changes that, and exposes our long standing error.
> >
> > Even with this error exposed, to trigger the bug, we would need to have
> > an environment (config or otherwise) causing us to not use sendpage()
> > for larger transfers, a flaky connection, and have it fail "just at the
> > right time". Apparently that was unlikely enough for most, so this went
> > unnoticed for years.
> >
> > Still, it is known to trigger at least some of these,
> > and suspected for the others:
> > [0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
> > [1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
> > [2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
> > [3] https://ubuntuforums.org/showthread.php?t=2336150
> > [4] http://e2.howsolveproblem.com/i/1175162/
> >
> > This should go into 4.9,
> > and into all stable branches since and including v4.0,
> > which is the first to contain the exposing change.
> >
> > It is correct for all stable branches older than that as well
> > (which contain the DRBD driver; which is 2.6.33 and up).
> >
> > It requires a small "conflict" resolution for v4.4 and earlier, with v4.5
> > we dropped the comment block immediately preceding the kernel_sendmsg().
> >
> > Cc: stable@vger.kernel.org
> > Cc: viro@zeniv.linux.org.uk
> > Cc: christoph.lechleitner@iteg.at
> > Cc: wolfgang.glas@iteg.at
> > Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Signed-off-by: Richard Weinberger <richard@nod.at>
> > Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
>
> Changing my patch is perfectly fine, but please clearly state it.
> I.e. by adding something like that before your S-o-b.
> [Lars: Massaged patch to match my personal taste...]
Lars, are you sending a new one? If you do, add the stable tag as well.
--
Jens Axboe
WARNING: multiple messages have this Message-ID (diff)
From: Jens Axboe <axboe@kernel.dk>
To: Richard Weinberger <richard@nod.at>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
drbd-dev@lists.linbit.com, philipp.reisner@linbit.com,
viro@zeniv.linux.org.uk, christoph.lechleitner@iteg.at,
wolfgang.glas@iteg.at
Subject: Re: [PATCH] drbd: Fix kernel_sendmsg() usage
Date: Tue, 8 Nov 2016 09:52:04 -0700 [thread overview]
Message-ID: <20161108165204.GC2834@kernel.dk> (raw)
In-Reply-To: <497abc52-093f-17ea-5fb5-645030a23a01@nod.at>
On Tue, Nov 08 2016, Richard Weinberger wrote:
> On 08.11.2016 14:43, Lars Ellenberg wrote:
> > From 3a5859e696178e31a25e65de58c461046fc52beb Mon Sep 17 00:00:00 2001
> > From: Richard Weinberger <richard@nod.at>
> > Date: Tue, 8 Nov 2016 11:43:09 +0100
> > Subject: [PATCH] drbd: Fix kernel_sendmsg() usage - potential NULL deref
> > drbd: Fix kernel_sendmsg() usage - potential NULL deref
> >
> > Don't pass a size larger than iov_len to kernel_sendmsg().
> > Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
> > returns with rv < size.
> >
> > DRBD as external module has been around in the kernel 2.4 days already.
> > We used to be compatible to 2.4 and very early 2.6 kernels,
> > we used to use
> > rv = sock_sendmsg(sock, &msg, iov.iov_len);
> > then later changed to
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
> > when we should have used
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);
> >
> > tcp_sendmsg() used to totally ignore the size parameter.
> > 57be5bd ip: convert tcp_sendmsg() to iov_iter primitives
> > changes that, and exposes our long standing error.
> >
> > Even with this error exposed, to trigger the bug, we would need to have
> > an environment (config or otherwise) causing us to not use sendpage()
> > for larger transfers, a flaky connection, and have it fail "just at the
> > right time". Apparently that was unlikely enough for most, so this went
> > unnoticed for years.
> >
> > Still, it is known to trigger at least some of these,
> > and suspected for the others:
> > [0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
> > [1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
> > [2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
> > [3] https://ubuntuforums.org/showthread.php?t=2336150
> > [4] http://e2.howsolveproblem.com/i/1175162/
> >
> > This should go into 4.9,
> > and into all stable branches since and including v4.0,
> > which is the first to contain the exposing change.
> >
> > It is correct for all stable branches older than that as well
> > (which contain the DRBD driver; which is 2.6.33 and up).
> >
> > It requires a small "conflict" resolution for v4.4 and earlier, with v4.5
> > we dropped the comment block immediately preceding the kernel_sendmsg().
> >
> > Cc: stable@vger.kernel.org
> > Cc: viro@zeniv.linux.org.uk
> > Cc: christoph.lechleitner@iteg.at
> > Cc: wolfgang.glas@iteg.at
> > Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Signed-off-by: Richard Weinberger <richard@nod.at>
> > Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
>
> Changing my patch is perfectly fine, but please clearly state it.
> I.e. by adding something like that before your S-o-b.
> [Lars: Massaged patch to match my personal taste...]
Lars, are you sending a new one? If you do, add the stable tag as well.
--
Jens Axboe
next prev parent reply other threads:[~2016-11-08 16:58 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 10:43 [PATCH] drbd: Fix kernel_sendmsg() usage Richard Weinberger
2016-11-08 13:43 ` Lars Ellenberg
2016-11-08 13:43 ` [Drbd-dev] " Lars Ellenberg
2016-11-08 13:55 ` Richard Weinberger
2016-11-08 13:55 ` Richard Weinberger
2016-11-08 16:52 ` Jens Axboe [this message]
2016-11-08 16:52 ` Jens Axboe
2016-11-09 15:32 ` [Drbd-dev] " Lars Ellenberg
2016-11-09 15:32 ` Lars Ellenberg
2016-11-09 15:32 ` Lars Ellenberg
2016-11-09 15:47 ` [Drbd-dev] " Richard Weinberger
2016-11-09 15:47 ` Richard Weinberger
2016-11-09 16:51 ` [Drbd-dev] " Lars Ellenberg
2016-11-09 16:51 ` Lars Ellenberg
2016-11-09 16:55 ` Jens Axboe
2016-11-09 16:55 ` Jens Axboe
2016-11-09 21:52 ` [Drbd-dev] [PATCH v2] drbd: Fix kernel_sendmsg() usage - potential NULL deref Lars Ellenberg
2016-11-09 21:52 ` Lars Ellenberg
2016-11-09 23:41 ` [Drbd-dev] " Al Viro
2016-11-09 23:41 ` Al Viro
2016-11-08 14:03 ` [Drbd-dev] [PATCH] drbd: Fix kernel_sendmsg() usage Christoph Lechleitner
2016-11-08 14:03 ` Christoph Lechleitner
2016-11-08 15:49 ` [Drbd-dev] " Christoph Hellwig
2016-11-08 15:49 ` Christoph Hellwig
2016-11-08 16:02 ` [Drbd-dev] " Richard Weinberger
2016-11-08 16:02 ` Richard Weinberger
2016-11-08 16:13 ` [Drbd-dev] " Al Viro
2016-11-08 16:13 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161108165204.GC2834@kernel.dk \
--to=axboe@kernel.dk \
--cc=christoph.lechleitner@iteg.at \
--cc=drbd-dev@lists.linbit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=philipp.reisner@linbit.com \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wolfgang.glas@iteg.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.