From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+51177e4144d764827c45@syzkaller.appspotmail.com,
Christoph Hellwig <hch@lst.de>,
Christian Brauner <brauner@kernel.org>,
Eric Biggers <ebiggers@google.com>
Subject: [PATCH 6.3 02/11] fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds
Date: Fri, 28 Apr 2023 13:27:37 +0200 [thread overview]
Message-ID: <20230428112039.977228992@linuxfoundation.org> (raw)
In-Reply-To: <20230428112039.886496777@linuxfoundation.org>
From: Eric Biggers <ebiggers@google.com>
commit 04839139213cf60d4c5fc792214a08830e294ff8 upstream.
Commit 56124d6c87fd ("fsverity: support enabling with tree block size <
PAGE_SIZE") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read
the file's data, instead of direct pagecache accesses.
An unintended consequence of this is that the
'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became
reachable by fuzz tests. This happens if FS_IOC_ENABLE_VERITY is called
on a fd opened with access mode 3, which means "ioctl access only".
Arguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds. But
ioctl-only fds are a weird Linux extension that is rarely used and that
few people even know about. (The documentation for FS_IOC_ENABLE_VERITY
even specifically says it requires O_RDONLY.) It's probably not
worthwhile to make the ioctl internally open a new fd just to handle
this case. Thus, just reject the ioctl on such fds for now.
Fixes: 56124d6c87fd ("fsverity: support enabling with tree block size < PAGE_SIZE")
Reported-by: syzbot+51177e4144d764827c45@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2281afcbbfa8fdb92f9887479cc0e4180f1c6b28
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230406215106.235829-1-ebiggers@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/verity/enable.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/verity/enable.c
+++ b/fs/verity/enable.c
@@ -347,6 +347,13 @@ int fsverity_ioctl_enable(struct file *f
err = file_permission(filp, MAY_WRITE);
if (err)
return err;
+ /*
+ * __kernel_read() is used while building the Merkle tree. So, we can't
+ * allow file descriptors that were opened for ioctl access only, using
+ * the special nonstandard access mode 3. O_RDONLY only, please!
+ */
+ if (!(filp->f_mode & FMODE_READ))
+ return -EBADF;
if (IS_APPEND(inode))
return -EPERM;
next prev parent reply other threads:[~2023-04-28 11:28 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-28 11:27 [PATCH 6.3 00/11] 6.3.1-rc1 review Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 01/11] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Greg Kroah-Hartman
2023-04-28 11:27 ` Greg Kroah-Hartman [this message]
2023-04-28 11:27 ` [PATCH 6.3 03/11] drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 04/11] fsverity: explicitly check for buffer overflow in build_merkle_tree() Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 05/11] gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 06/11] bluetooth: Perform careful capability checks in hci_sock_ioctl() Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 07/11] wifi: brcmfmac: add Cypress 43439 SDIO ids Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 08/11] btrfs: fix uninitialized variable warnings Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 09/11] mm/mremap: fix vm_pgoff in vma_merge() case 3 Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 10/11] USB: serial: option: add UNISOC vendor and TOZED LT70C product Greg Kroah-Hartman
2023-04-28 11:27 ` [PATCH 6.3 11/11] driver core: Dont require dynamic_debug for initcall_debug probe timing Greg Kroah-Hartman
2023-04-28 16:42 ` [PATCH 6.3 00/11] 6.3.1-rc1 review Markus Reichelt
2023-04-28 22:24 ` Shuah Khan
2023-04-28 23:14 ` Naresh Kamboju
2023-04-29 0:37 ` Rudi Heitbaum
2023-04-29 3:56 ` Ron Economos
2023-04-29 4:10 ` Guenter Roeck
2023-04-29 7:39 ` Bagas Sanjaya
2023-04-29 17:14 ` Florian Fainelli
2023-05-02 8:17 ` Chris Paterson
2023-05-02 16:18 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230428112039.977228992@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=brauner@kernel.org \
--cc=ebiggers@google.com \
--cc=hch@lst.de \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+51177e4144d764827c45@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.