[patch] Btrfs: fix access_ok() check in btrfs_ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-01-10  8:57 ` Dan Carpenter
  0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2013-01-10  8:57 UTC (permalink / raw)
  To: Chris Mason, Alexander Block; +Cc: linux-btrfs, kernel-janitors

The closing parenthesis is in the wrong place.  We want to check
"sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
"sizeof(*arg->clone_sources * arg->clone_sources_count)".

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is also vulnerable to integer overflows.  It's only done under
root, but these days we are trying to restrict what root can do without
configuring Secure Boot in UEFI.

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 5445454..4be3832 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	}
 
 	if (!access_ok(VERIFY_READ, arg->clone_sources,
-			sizeof(*arg->clone_sources *
-			arg->clone_sources_count))) {
+			sizeof(*arg->clone_sources) *
+			arg->clone_sources_count)) {
 		ret = -EFAULT;
 		goto out;
 	}

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-01-10  8:57 ` Dan Carpenter
  0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2013-01-10  8:57 UTC (permalink / raw)
  To: Chris Mason, Alexander Block; +Cc: linux-btrfs, kernel-janitors

The closing parenthesis is in the wrong place.  We want to check
"sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
"sizeof(*arg->clone_sources * arg->clone_sources_count)".

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is also vulnerable to integer overflows.  It's only done under
root, but these days we are trying to restrict what root can do without
configuring Secure Boot in UEFI.

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 5445454..4be3832 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	}
 
 	if (!access_ok(VERIFY_READ, arg->clone_sources,
-			sizeof(*arg->clone_sources *
-			arg->clone_sources_count))) {
+			sizeof(*arg->clone_sources) *
+			arg->clone_sources_count)) {
 		ret = -EFAULT;
 		goto out;
 	}

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
  2013-01-10  8:57 ` Dan Carpenter
@ 2013-01-10  9:21   ` Jeff Liu
  -1 siblings, 0 replies; 8+ messages in thread
From: Jeff Liu @ 2013-01-10  9:21 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Chris Mason, Alexander Block, linux-btrfs, kernel-janitors

On 01/10/2013 04:57 PM, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place.  We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is also vulnerable to integer overflows.  It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.
> 
> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
>  	}
>  
>  	if (!access_ok(VERIFY_READ, arg->clone_sources,
> -			sizeof(*arg->clone_sources *
> -			arg->clone_sources_count))) {
> +			sizeof(*arg->clone_sources) *
> +			arg->clone_sources_count)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}
Reviewed-by: Jie Liu <jeff.liu@oracle.com>

Thanks,
-Jeff
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-01-10  9:21   ` Jeff Liu
  0 siblings, 0 replies; 8+ messages in thread
From: Jeff Liu @ 2013-01-10  9:21 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Chris Mason, Alexander Block, linux-btrfs, kernel-janitors

On 01/10/2013 04:57 PM, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place.  We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is also vulnerable to integer overflows.  It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.
> 
> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
>  	}
>  
>  	if (!access_ok(VERIFY_READ, arg->clone_sources,
> -			sizeof(*arg->clone_sources *
> -			arg->clone_sources_count))) {
> +			sizeof(*arg->clone_sources) *
> +			arg->clone_sources_count)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}
Reviewed-by: Jie Liu <jeff.liu@oracle.com>

Thanks,
-Jeff
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-10-21 12:30   ` David Sterba
  0 siblings, 0 replies; 8+ messages in thread
From: David Sterba @ 2013-10-21 12:30 UTC (permalink / raw)
  To: Chris Mason
  Cc: Dan Carpenter, Alexander Block, linux-btrfs, kernel-janitors,
	jbacik

On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place.  We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Original message id: <20130110085725.GA23063@elgon.mountain>

This patch hasn't been applied.

> ---
> This is also vulnerable to integer overflows.  It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.

Although it's a security fix, it's not exploitable by a user so it's not
that urgent to get it merged. Nevertheless, I hope you can squeeze it
into 3.12-rc so we can then start pushing it to stable kernels (at least
3.10).

> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
>  	}
>  
>  	if (!access_ok(VERIFY_READ, arg->clone_sources,
> -			sizeof(*arg->clone_sources *
> -			arg->clone_sources_count))) {
> +			sizeof(*arg->clone_sources) *
> +			arg->clone_sources_count)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}

david

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-10-21 12:30   ` David Sterba
  0 siblings, 0 replies; 8+ messages in thread
From: David Sterba @ 2013-10-21 12:30 UTC (permalink / raw)
  To: Chris Mason
  Cc: Dan Carpenter, Alexander Block, linux-btrfs, kernel-janitors,
	jbacik

On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place.  We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Original message id: <20130110085725.GA23063@elgon.mountain>

This patch hasn't been applied.

> ---
> This is also vulnerable to integer overflows.  It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.

Although it's a security fix, it's not exploitable by a user so it's not
that urgent to get it merged. Nevertheless, I hope you can squeeze it
into 3.12-rc so we can then start pushing it to stable kernels (at least
3.10).

> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
>  	}
>  
>  	if (!access_ok(VERIFY_READ, arg->clone_sources,
> -			sizeof(*arg->clone_sources *
> -			arg->clone_sources_count))) {
> +			sizeof(*arg->clone_sources) *
> +			arg->clone_sources_count)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}

david

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
  2013-10-21 12:30   ` David Sterba
@ 2013-11-18 10:57     ` David Sterba
  -1 siblings, 0 replies; 8+ messages in thread
From: David Sterba @ 2013-11-18 10:57 UTC (permalink / raw)
  To: jbacik, Dan Carpenter, linux-btrfs, kernel-janitors

On Mon, Oct 21, 2013 at 02:30:05PM +0200, David Sterba wrote:
> On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> > The closing parenthesis is in the wrong place.  We want to check
> > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> > "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Original message id: <20130110085725.GA23063@elgon.mountain>
> 
> This patch hasn't been applied.

Please add this patch to btrfs-next.

david

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-11-18 10:57     ` David Sterba
  0 siblings, 0 replies; 8+ messages in thread
From: David Sterba @ 2013-11-18 10:57 UTC (permalink / raw)
  To: jbacik, Dan Carpenter, linux-btrfs, kernel-janitors

On Mon, Oct 21, 2013 at 02:30:05PM +0200, David Sterba wrote:
> On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> > The closing parenthesis is in the wrong place.  We want to check
> > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> > "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Original message id: <20130110085725.GA23063@elgon.mountain>
> 
> This patch hasn't been applied.

Please add this patch to btrfs-next.

david

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2013-11-18 10:57 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-10  8:57 [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send() Dan Carpenter
2013-01-10  8:57 ` Dan Carpenter
2013-01-10  9:21 ` Jeff Liu
2013-01-10  9:21   ` Jeff Liu
2013-10-21 12:30 ` David Sterba
2013-10-21 12:30   ` David Sterba
2013-11-18 10:57   ` David Sterba
2013-11-18 10:57     ` David Sterba

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.