From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
To: david@fromorbit.com
Cc: trond.myklebust@hammerspace.com,
Anna Schumaker <anna.schumaker@netapp.com>,
viro@zeniv.linux.org.uk, Steve French <smfrench@gmail.com>,
Miklos Szeredi <miklos@szeredi.hu>,
linux-nfs <linux-nfs@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org,
linux-unionfs@vger.kernel.org, linux-man@vger.kernel.org
Subject: Re: [PATCH v4 02/11] VFS: copy_file_range check validity of input source offset
Date: Tue, 30 Oct 2018 09:40:09 -0400 [thread overview]
Message-ID: <CAN-5tyEfYcSvgzhftM7r8YoB7KQDiJnJXQPTE9pcML6BRSbbYA@mail.gmail.com> (raw)
In-Reply-To: <20181030090344.GN6311@dastard>
On Tue, Oct 30, 2018 at 5:03 AM Dave Chinner <david@fromorbit.com> wrote:
>
> On Mon, Oct 29, 2018 at 10:41:22AM -0400, Olga Kornievskaia wrote:
> > On Sat, Oct 27, 2018 at 5:27 AM Dave Chinner <david@fromorbit.com> wrote:
> > >
> > > On Fri, Oct 26, 2018 at 04:10:48PM -0400, Olga Kornievskaia wrote:
> > > > From: Olga Kornievskaia <kolga@netapp.com>
> > > >
> > > > Input source offset can't be beyond the end of the file.
> > > >
> > > > Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
> > > > ---
> > > > fs/read_write.c | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/fs/read_write.c b/fs/read_write.c
> > > > index fb4ffca..b3b304e 100644
> > > > --- a/fs/read_write.c
> > > > +++ b/fs/read_write.c
> > > > @@ -1594,6 +1594,9 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
> > > > }
> > > > }
> > > >
> > > > + if (pos_in >= i_size_read(inode_in))
> > > > + return -EINVAL;
> > > > +
> > >
> > > vfs_copy_file_range seems ot be missing a wide range of checks.
> > > rlimit, s_maxbytes, LFS file sizes, etc. This is a write, so all the
> > > checks in generic_write_checks() apply, right? And the same security
> > > issues like stripping setuid bits, etc? And we need to touch
> > > atime on the source file, too?
> >
> > Yes sound like needed checks.
> >
> > > We've just merged 5 or so patches in 4.19-rc8 and we're ready to
> > > merge another ~30 patch series to fix all the stuff missing from the
> > > clone/dedupe file range operations that make them safe and robust.
> > > It seems like copy_file_range is all the checks it needs, too?
> >
> > Are you proposing to not do this check now in favor of the proper work
> > that will do all of those checks you listed above?
>
> No, I'm saying that if you're adding one check, there's a whole heap
> of checks that still need to be added, *especially* if this is going
> to fall back to page cache copy between superblocks that may have
> different limits and constraints.
>
> There's security issues in this API. They need to be fixed before we
> allow it to do more and potentially expose more problems due to it's
> wider capability.
Sounds like you are arguing that enabling generic copy_file_range()
via do_splice() isn't a good thing without those checks. I'm totally
OK with removing this functionality. As I mentioned earlier I added it
as I thought it was beneficial and I assumed that do_splice() was a
generic enough API to handle what was needed.
What this patch series was intended for was removing/relocating the
cross device check and it sounds like I should be keeping it just to
that.
> > I can not volunteer
> > to provide this comprehensive check.
>
> Why not?
I don't have the expertise in the VFS code.
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@fromorbit.com
next prev parent reply other threads:[~2018-10-30 13:40 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-26 20:10 [PATCH v4 00/11] client-side support for "inter" SSC copy Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 01/11] VFS: move cross device copy_file_range() check into filesystems Olga Kornievskaia
2018-10-26 21:23 ` Matthew Wilcox
2018-10-26 22:10 ` Steve French
2018-10-27 9:09 ` Dave Chinner
2018-10-29 14:31 ` Olga Kornievskaia
2018-10-27 11:11 ` Jeff Layton
2018-10-26 20:10 ` [PATCH 1/1] man-page: copy_file_range(2) allow for cross-device copies Olga Kornievskaia
2018-10-27 9:12 ` Dave Chinner
2018-10-27 13:23 ` Matthew Wilcox
2018-10-28 1:33 ` Dave Chinner
2018-10-28 2:39 ` Matthew Wilcox
2018-10-29 14:25 ` Olga Kornievskaia
2018-10-29 15:52 ` Olga Kornievskaia
2018-10-29 17:49 ` Amir Goldstein
2018-10-26 20:10 ` [PATCH v4 02/11] VFS: copy_file_range check validity of input source offset Olga Kornievskaia
2018-10-26 21:26 ` Matthew Wilcox
2018-10-29 16:09 ` Olga Kornievskaia
2018-10-27 9:27 ` Dave Chinner
2018-10-29 14:41 ` Olga Kornievskaia
2018-10-30 9:03 ` Dave Chinner
2018-10-30 13:40 ` Olga Kornievskaia [this message]
2018-10-30 23:40 ` Dave Chinner
2018-10-30 21:10 ` Olga Kornievskaia
2018-10-30 21:12 ` Olga Kornievskaia
2018-10-31 0:14 ` Dave Chinner
2018-10-31 14:51 ` Olga Kornievskaia
2018-10-31 23:33 ` Dave Chinner
2018-10-26 20:10 ` [PATCH v4 03/11] NFS: NFSD defining nl4_servers structure needed by both Olga Kornievskaia
2018-10-27 11:14 ` Jeff Layton
2018-10-29 14:28 ` Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 04/11] NFS: add COPY_NOTIFY operation Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 05/11] NFS: add ca_source_server<> to COPY Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 06/11] NFS: also send OFFLOAD_CANCEL to source server Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 07/11] NFS: inter ssc open Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 08/11] NFS: skip recovery of copy open on dest server Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 09/11] NFS: for "inter" copy treat ESTALE as ENOTSUPP Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 10/11] NFS: COPY handle ERR_OFFLOAD_DENIED Olga Kornievskaia
2018-10-26 20:10 ` [PATCH v4 11/11] NFS: replace cross device check in copy_file_range Olga Kornievskaia
2018-10-26 21:22 ` Matthew Wilcox
2018-10-27 11:08 ` Jeff Layton
2018-10-27 13:26 ` Matthew Wilcox
2018-10-29 14:28 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAN-5tyEfYcSvgzhftM7r8YoB7KQDiJnJXQPTE9pcML6BRSbbYA@mail.gmail.com \
--to=olga.kornievskaia@gmail.com \
--cc=anna.schumaker@netapp.com \
--cc=david@fromorbit.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=smfrench@gmail.com \
--cc=trond.myklebust@hammerspace.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).