From: Dan Carpenter <dan.carpenter@oracle.com>
To: James Simmons <jsimmons@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
devel@driverdev.osuosl.org, Oleg Drokin <oleg.drokin@intel.com>,
Andreas Dilger <andreas.dilger@intel.com>,
Amir Shehata <amir.shehata@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
lustre-devel@lists.lustre.org
Subject: Re: [PATCH 12/40] staging: lustre: Dynamic LNet Configuration (DLC) IOCTL changes
Date: Wed, 2 Dec 2015 12:48:43 +0300 [thread overview]
Message-ID: <20151202094843.GL18797@mwanda> (raw)
In-Reply-To: <1448062576-23757-13-git-send-email-jsimmons@infradead.org>
On Fri, Nov 20, 2015 at 06:35:48PM -0500, James Simmons wrote:
> +int libcfs_ioctl_getdata_len(const struct libcfs_ioctl_hdr __user *arg,
> + __u32 *len)
> +{
> + struct libcfs_ioctl_hdr hdr;
>
> - orig_len = hdr->ioc_len;
> - if (copy_from_user(buf, arg, hdr->ioc_len))
> + if (copy_from_user(&hdr, arg, sizeof(hdr)))
> return -EFAULT;
> - if (orig_len != data->ioc_len)
> - return -EINVAL;
This check was actually important. I don't see where it was moved to so
it looks like this patch introduces a serious information leak.
>
> - if (libcfs_ioctl_is_invalid(data)) {
> - CERROR("PORTALS: ioctl not correctly formatted\n");
> + if (hdr.ioc_version != LIBCFS_IOCTL_VERSION) {
> + CERROR("LNET: version mismatch expected %#x, got %#x\n",
> + LIBCFS_IOCTL_VERSION, hdr.ioc_version);
> return -EINVAL;
> }
>
> - if (data->ioc_inllen1)
> - data->ioc_inlbuf1 = &data->ioc_bulk[0];
> + *len = hdr.ioc_len;
>
> - if (data->ioc_inllen2)
> - data->ioc_inlbuf2 = &data->ioc_bulk[0] +
> - cfs_size_round(data->ioc_inllen1);
> + return 0;
> +}
>
> +int libcfs_ioctl_getdata(struct libcfs_ioctl_hdr *buf, __u32 buf_len,
> + const void __user *arg)
> +{
> + if (copy_from_user(buf, arg, buf_len))
> + return -EFAULT;
> return 0;
> }
Don't introduce this wrapper. Abstraction layers just make the code
harder to read and obscures bugs. Also the caller changes -EFAULT to
-EINVAL so right away it starts to be buggy.
>
> diff --git a/drivers/staging/lustre/lustre/libcfs/module.c b/drivers/staging/lustre/lustre/libcfs/module.c
> index 75247e9..5348699 100644
> --- a/drivers/staging/lustre/lustre/libcfs/module.c
> +++ b/drivers/staging/lustre/lustre/libcfs/module.c
> @@ -54,6 +54,8 @@
>
> # define DEBUG_SUBSYSTEM S_LNET
>
> +#define LIBCFS_MAX_IOCTL_BUF_LEN 2048
> +
> #include "../../include/linux/libcfs/libcfs.h"
> #include <asm/div64.h>
>
> @@ -241,11 +243,21 @@ int libcfs_deregister_ioctl(struct libcfs_ioctl_handler *hand)
> }
> EXPORT_SYMBOL(libcfs_deregister_ioctl);
>
> -static int libcfs_ioctl_int(struct cfs_psdev_file *pfile, unsigned long cmd,
> - void *arg, struct libcfs_ioctl_data *data)
> +static int libcfs_ioctl_handle(struct cfs_psdev_file *pfile, unsigned long cmd,
> + void *arg, struct libcfs_ioctl_hdr *hdr)
> {
> + struct libcfs_ioctl_data *data = NULL;
> int err = -EINVAL;
>
> + if ((cmd <= IOC_LIBCFS_LNETST) ||
> + (cmd >= IOC_LIBCFS_REGISTER_MYNID)) {
> + data = container_of(hdr, struct libcfs_ioctl_data, ioc_hdr);
> + err = libcfs_ioctl_data_adjust(data);
> + if (err != 0) {
Generally, remove pointless double negatives like this. It should be
just "if (err) " instead of "if (err != 0 != 0 != 0 != 0) " or whatever.
> + return err;
> + }
> + }
> +
> switch (cmd) {
> case IOC_LIBCFS_CLEAR_DEBUG:
> libcfs_debug_clear_buffer();
> @@ -280,11 +292,11 @@ static int libcfs_ioctl_int(struct cfs_psdev_file *pfile, unsigned long cmd,
> err = -EINVAL;
> down_read(&ioctl_list_sem);
> list_for_each_entry(hand, &ioctl_list, item) {
> - err = hand->handle_ioctl(cmd, data);
> + err = hand->handle_ioctl(cmd, hdr);
> if (err != -EINVAL) {
> if (err == 0)
> err = libcfs_ioctl_popdata(arg,
> - data, sizeof(*data));
> + hdr, hdr->ioc_len);
This variable has not been verified since the user wrote to it last so
here is the information leak.
regards,
dan carpenter
next prev parent reply other threads:[~2015-12-02 9:49 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-20 23:35 [PATCH 00/40] Sync upstream lustre client LNet core James Simmons
2015-11-20 23:35 ` [PATCH 01/40] staging: lustre: drop *_t from end of struct lnet_text_buf James Simmons
2015-11-20 23:35 ` [PATCH 02/40] staging: lustre: fix 'NULL pointer dereference' errors for LNet James Simmons
2015-12-02 7:46 ` Dan Carpenter
2015-12-15 18:08 ` Simmons, James A.
2015-11-20 23:35 ` [PATCH 03/40] staging: lustre: reflect down routes in /proc/sys/lnet/routes James Simmons
2015-12-02 7:54 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 04/40] staging: lustre: fix failure handle of create reply James Simmons
2015-11-20 23:35 ` [PATCH 05/40] staging: lustre: eliminate obsolete Cray SeaStar support James Simmons
2015-11-20 23:35 ` [PATCH 06/40] staging: lustre: remove uses of IS_ERR_VALUE() James Simmons
2015-11-21 18:45 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 07/40] staging: lustre: return +ve for blocked lnet message James Simmons
2015-11-20 23:35 ` [PATCH 08/40] staging: lustre: do not memset after LIBCFS_ALLOC James Simmons
2015-11-20 23:35 ` [PATCH 09/40] staging: lustre: Dynamic LNet Configuration (DLC) James Simmons
2015-11-20 23:35 ` [PATCH 10/40] staging: lustre: Dynamic LNet Configuration (DLC) dynamic routing James Simmons
2015-11-20 23:35 ` [PATCH 11/40] staging: lustre: DLC Feature dynamic net config James Simmons
2015-12-02 9:23 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 12/40] staging: lustre: Dynamic LNet Configuration (DLC) IOCTL changes James Simmons
2015-12-02 9:48 ` Dan Carpenter [this message]
2015-11-20 23:35 ` [PATCH 13/40] staging: lustre: Dynamic LNet Configuration (DLC) show command James Simmons
2015-12-02 11:20 ` Dan Carpenter
2015-12-15 18:14 ` Simmons, James A.
2015-12-15 18:19 ` Dan Carpenter
2015-12-15 18:39 ` Simmons, James A.
2015-12-15 18:48 ` Greg Kroah-Hartman
2015-12-15 19:48 ` Simmons, James A.
2015-12-15 19:55 ` 'Greg Kroah-Hartman'
2015-12-02 12:00 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 14/40] staging: lustre: fix crash due to NULL networks string James Simmons
2015-12-02 11:27 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 15/40] staging: lustre: DLC user/kernel space glue code James Simmons
2015-12-02 12:11 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 16/40] staging: lustre: make local functions static for LNet ni James Simmons
2015-11-20 23:35 ` [PATCH 17/40] staging: lustre: add sparse annotation __user wherever needed for lnet James Simmons
2015-11-20 23:35 ` [PATCH 18/40] staging: lustre: remove LUSTRE_{,SRV_}LNET_PID James Simmons
2015-11-20 23:35 ` [PATCH 19/40] staging: lustre: copy out libcfs ioctl inline buffer James Simmons
2015-12-02 12:34 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 20/40] staging: lustre: fix kernel crash when network failed to start James Simmons
2015-12-02 12:44 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 21/40] staging: lustre: improve LNet clean up code and API James Simmons
2015-12-02 12:59 ` Dan Carpenter
2015-12-02 13:20 ` [lustre-devel] " Alexander Zarochentsev
2015-12-02 13:59 ` Dan Carpenter
2015-12-15 17:10 ` Simmons, James A.
2015-12-15 17:41 ` Dan Carpenter
2015-11-20 23:35 ` [PATCH 22/40] staging: lustre: Fixes to make lnetctl function as expected James Simmons
2015-11-20 23:35 ` [PATCH 23/40] staging: lustre: return appropriate errno when adding route James Simmons
2015-11-20 23:36 ` [PATCH 24/40] staging: lustre: make some lnet functions static James Simmons
2015-11-20 23:36 ` [PATCH 25/40] staging: lustre: missed a few cases of using NULL instead of 0 James Simmons
2015-11-20 23:36 ` [PATCH 26/40] staging: lustre: startup lnet acceptor thread dynamically James Simmons
2015-11-20 23:36 ` [PATCH 27/40] staging: lustre: reject invalid net configuration for lnet James Simmons
2015-11-20 23:36 ` [PATCH 28/40] staging: lustre: return -EEXIST if NI is not unique James Simmons
2015-11-20 23:36 ` [PATCH 29/40] staging: lustre: handle lnet_check_routes() errors James Simmons
2015-11-20 23:36 ` [PATCH 30/40] staging: lustre: improvement to router checker James Simmons
2015-11-20 23:36 ` [PATCH 31/40] staging: lustre: assume a kernel build James Simmons
2015-11-20 23:36 ` [PATCH 32/40] staging: lustre: prevent assert on LNet module unload James Simmons
2015-11-20 23:36 ` [PATCH 33/40] staging: lustre: remove messages from lazy portal on NI shutdown James Simmons
2015-11-20 23:36 ` [PATCH 34/40] staging: lustre: remove unnecessary EXPORT_SYMBOL from lnet layer James Simmons
2015-11-20 23:36 ` [PATCH 35/40] staging: lustre: avoid race during lnet acceptor thread termination James Simmons
2015-11-20 23:36 ` [PATCH 36/40] staging: lustre: test for sk_sleep presence in compact-2.6.h James Simmons
2015-11-20 23:36 ` [PATCH 37/40] staging: lustre: remove unnecessary NULL check in IOC_LIBCFS_GET_NET James Simmons
2015-11-20 23:36 ` [PATCH 38/40] staging: lustre: Allocate the correct number of rtr buffers James Simmons
2015-11-20 23:36 ` [PATCH 39/40] staging: lustre: Use lnet_is_route_alive for router aliveness James Simmons
2015-11-20 23:36 ` [PATCH 40/40] staging: lustre: Remove LASSERTS from router checker James Simmons
2015-12-21 23:41 ` [PATCH 00/40] Sync upstream lustre client LNet core Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151202094843.GL18797@mwanda \
--to=dan.carpenter@oracle.com \
--cc=amir.shehata@intel.com \
--cc=andreas.dilger@intel.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=jsimmons@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lustre-devel@lists.lustre.org \
--cc=oleg.drokin@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox