From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Security Officers <security@kernel.org>,
Al Viro <viro@ZenIV.linux.org.uk>,
stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
Date: Mon, 11 Mar 2013 13:46:01 -0700 [thread overview]
Message-ID: <20130311204601.GA22369@kroah.com> (raw)
In-Reply-To: <20130225152036.GA3405@Krystal>
On Mon, Feb 25, 2013 at 10:20:36AM -0500, Mathieu Desnoyers wrote:
> Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
> compat_process_vm_rw() shows that the compatibility code requires an
> explicit "access_ok()" check before calling
> compat_rw_copy_check_uvector(). The same difference seems to appear when
> we compare fs/read_write.c:do_readv_writev() to
> fs/compat.c:compat_do_readv_writev().
>
> This subtle difference between the compat and non-compat requirements
> should probably be debated, as it seems to be error-prone. In fact,
> there are two others sites that use this function in the Linux kernel,
> and they both seem to get it wrong:
>
> Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
> also ends up calling compat_rw_copy_check_uvector() through
> aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
> be missing. Same situation for
> security/keys/compat.c:compat_keyctl_instantiate_key_iov().
>
> I propose that we add the access_ok() check directly into
> compat_rw_copy_check_uvector(), so callers don't have to worry about it,
> and it therefore makes the compat call code similar to its non-compat
> counterpart. Place the access_ok() check in the same location where
> copy_from_user() can trigger a -EFAULT error in the non-compat code, so
> the ABI behaviors are alike on both compat and non-compat.
>
> While we are here, fix compat_do_readv_writev() so it checks for
> compat_rw_copy_check_uvector() negative return values.
>
> And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
> handling.
>
> Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
> Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> ---
> fs/compat.c | 15 +++++++--------
> mm/process_vm_access.c | 8 --------
> security/keys/compat.c | 4 ++--
> 3 files changed, 9 insertions(+), 18 deletions(-)
What ever happened to this patch? I don't see it in Linus's tree, was
it not correct?
thanks,
greg k-h
next prev parent reply other threads:[~2013-03-11 20:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-25 15:20 [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Mathieu Desnoyers
2013-03-11 20:46 ` Greg Kroah-Hartman [this message]
2013-03-11 20:53 ` Mathieu Desnoyers
2013-03-12 18:04 ` Linus Torvalds
2013-03-12 18:23 ` Linus Torvalds
2013-03-13 13:53 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130311204601.GA22369@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox