Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Vinson Lee]

On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> Hi Greg,
>
> Jiri Slaby has pushed this patch to his 3.12-stable tree.
>
> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
>
> Can you push it to 3.10-stable tree ？
>
> Best regards！
>
> On 2015/3/20 16:59, Zhang Zhen wrote:
>> We need to check the position and size of file writes against various
>> limits, using generic_write_check(). This was not being done for
>> the splice write path. It was fixed upstream by commit 8d0207652cbe
>> ("->splice_write() via ->write_iter()") but we can't apply that.
>>
>> CVE-2014-7822
>>
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
>> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
>> ---
>>  fs/ocfs2/file.c | 8 +++++---
>>  fs/splice.c     | 8 ++++++--
>>  2 files changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
>> index 46387e4..e0b1c88 100644
>> --- a/fs/ocfs2/file.c
>> +++ b/fs/ocfs2/file.c
>> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
>>       struct address_space *mapping = out->f_mapping;
>>       struct inode *inode = mapping->host;
>>       struct splice_desc sd = {
>> -             .total_len = len,
>>               .flags = flags,
>> -             .pos = *ppos,
>>               .u.file = out,
>>       };
>> -
>> +     ret = generic_write_checks(out, ppos, &len, 0);
>> +     if(ret)
>> +             return ret;
>> +     sd.total_len = len;
>> +     sd.pos = *ppos;
>>
>>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
>>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
>> diff --git a/fs/splice.c b/fs/splice.c
>> index 4b5a5fa..f183f13 100644
>> --- a/fs/splice.c
>> +++ b/fs/splice.c
>> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
>>       struct address_space *mapping = out->f_mapping;
>>       struct inode *inode = mapping->host;
>>       struct splice_desc sd = {
>> -             .total_len = len,
>>               .flags = flags,
>> -             .pos = *ppos,
>>               .u.file = out,
>>       };
>>       ssize_t ret;
>>
>> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
>> +     if (ret)
>> +             return ret;
>> +     sd.total_len = len;
>> +     sd.pos = *ppos;
>> +
>>       pipe_lock(pipe);
>>
>>       splice_from_pipe_begin(&sd);
>>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Hi.

The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
is also needed for the 3.14 stable branch.

Cheers,
Vinson

Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Greg KH]

On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > Hi Greg,
> >
> > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> >
> > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> >
> > Can you push it to 3.10-stable tree ？
> >
> > Best regards！
> >
> > On 2015/3/20 16:59, Zhang Zhen wrote:
> >> We need to check the position and size of file writes against various
> >> limits, using generic_write_check(). This was not being done for
> >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> >> ("->splice_write() via ->write_iter()") but we can't apply that.
> >>
> >> CVE-2014-7822
> >>
> >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> >> ---
> >>  fs/ocfs2/file.c | 8 +++++---
> >>  fs/splice.c     | 8 ++++++--
> >>  2 files changed, 11 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> >> index 46387e4..e0b1c88 100644
> >> --- a/fs/ocfs2/file.c
> >> +++ b/fs/ocfs2/file.c
> >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> >>       struct address_space *mapping = out->f_mapping;
> >>       struct inode *inode = mapping->host;
> >>       struct splice_desc sd = {
> >> -             .total_len = len,
> >>               .flags = flags,
> >> -             .pos = *ppos,
> >>               .u.file = out,
> >>       };
> >> -
> >> +     ret = generic_write_checks(out, ppos, &len, 0);
> >> +     if(ret)
> >> +             return ret;
> >> +     sd.total_len = len;
> >> +     sd.pos = *ppos;
> >>
> >>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> >>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
> >> diff --git a/fs/splice.c b/fs/splice.c
> >> index 4b5a5fa..f183f13 100644
> >> --- a/fs/splice.c
> >> +++ b/fs/splice.c
> >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> >>       struct address_space *mapping = out->f_mapping;
> >>       struct inode *inode = mapping->host;
> >>       struct splice_desc sd = {
> >> -             .total_len = len,
> >>               .flags = flags,
> >> -             .pos = *ppos,
> >>               .u.file = out,
> >>       };
> >>       ssize_t ret;
> >>
> >> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> >> +     if (ret)
> >> +             return ret;
> >> +     sd.total_len = len;
> >> +     sd.pos = *ppos;
> >> +
> >>       pipe_lock(pipe);
> >>
> >>       splice_from_pipe_begin(&sd);
> >>
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe stable" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> Hi.
> 
> The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> is also needed for the 3.14 stable branch.

I don't understand, what commit id are you talking about?  What patch
should be applied to 3.14-stable?

thanks,

greg k-h

Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Willy Tarreau]

On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote:
> On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > > Hi Greg,
> > >
> > > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> > >
> > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> > >
> > > Can you push it to 3.10-stable tree ???
> > >
> > > Best regards???
> > >
> > > On 2015/3/20 16:59, Zhang Zhen wrote:
> > >> We need to check the position and size of file writes against various
> > >> limits, using generic_write_check(). This was not being done for
> > >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> > >> ("->splice_write() via ->write_iter()") but we can't apply that.
> > >>
> > >> CVE-2014-7822
> > >>
> > >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> > >> ---
> > >>  fs/ocfs2/file.c | 8 +++++---
> > >>  fs/splice.c     | 8 ++++++--
> > >>  2 files changed, 11 insertions(+), 5 deletions(-)
> > >>
> > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> > >> index 46387e4..e0b1c88 100644
> > >> --- a/fs/ocfs2/file.c
> > >> +++ b/fs/ocfs2/file.c
> > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> > >>       struct address_space *mapping = out->f_mapping;
> > >>       struct inode *inode = mapping->host;
> > >>       struct splice_desc sd = {
> > >> -             .total_len = len,
> > >>               .flags = flags,
> > >> -             .pos = *ppos,
> > >>               .u.file = out,
> > >>       };
> > >> -
> > >> +     ret = generic_write_checks(out, ppos, &len, 0);
> > >> +     if(ret)
> > >> +             return ret;
> > >> +     sd.total_len = len;
> > >> +     sd.pos = *ppos;
> > >>
> > >>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> > >>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
> > >> diff --git a/fs/splice.c b/fs/splice.c
> > >> index 4b5a5fa..f183f13 100644
> > >> --- a/fs/splice.c
> > >> +++ b/fs/splice.c
> > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> > >>       struct address_space *mapping = out->f_mapping;
> > >>       struct inode *inode = mapping->host;
> > >>       struct splice_desc sd = {
> > >> -             .total_len = len,
> > >>               .flags = flags,
> > >> -             .pos = *ppos,
> > >>               .u.file = out,
> > >>       };
> > >>       ssize_t ret;
> > >>
> > >> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> > >> +     if (ret)
> > >> +             return ret;
> > >> +     sd.total_len = len;
> > >> +     sd.pos = *ppos;
> > >> +
> > >>       pipe_lock(pipe);
> > >>
> > >>       splice_from_pipe_begin(&sd);
> > >>
> > >
> > >
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe stable" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> > 
> > Hi.
> > 
> > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> > is also needed for the 3.14 stable branch.
> 
> I don't understand, what commit id are you talking about?  What patch
> should be applied to 3.14-stable?

I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 :

  commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa
  Author: Ben Hutchings <ben@decadent.org.uk>
  Date:   Thu Jan 29 02:50:33 2015 +0000

    splice: Apply generic position and size checks to each write
    
    commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
    
    We need to check the position and size of file writes against various
    limits, using generic_write_check().  This was not being done for
    the splice write path.  It was fixed upstream by commit 8d0207652cbe
    ("->splice_write() via ->write_iter()") but we can't apply that.
    
    CVE-2014-7822
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
    Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Willy

Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Greg KH]

On Fri, Jun 26, 2015 at 07:56:56AM +0200, Willy Tarreau wrote:
> On Thu, Jun 25, 2015 at 09:22:01PM -0700, Greg KH wrote:
> > On Wed, Jun 03, 2015 at 02:31:14PM -0700, Vinson Lee wrote:
> > > On Tue, Mar 31, 2015 at 12:25 AM, Zhang Zhen <zhenzhang.zhang@huawei.com> wrote:
> > > > Hi Greg,
> > > >
> > > > Jiri Slaby has pushed this patch to his 3.12-stable tree.
> > > >
> > > > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.12.y&id=d7e3ae47c441894b11dce376ff8d110780872d0d
> > > >
> > > > Can you push it to 3.10-stable tree ???
> > > >
> > > > Best regards???
> > > >
> > > > On 2015/3/20 16:59, Zhang Zhen wrote:
> > > >> We need to check the position and size of file writes against various
> > > >> limits, using generic_write_check(). This was not being done for
> > > >> the splice write path. It was fixed upstream by commit 8d0207652cbe
> > > >> ("->splice_write() via ->write_iter()") but we can't apply that.
> > > >>
> > > >> CVE-2014-7822
> > > >>
> > > >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > > >> [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > > >> Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
> > > >> ---
> > > >>  fs/ocfs2/file.c | 8 +++++---
> > > >>  fs/splice.c     | 8 ++++++--
> > > >>  2 files changed, 11 insertions(+), 5 deletions(-)
> > > >>
> > > >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> > > >> index 46387e4..e0b1c88 100644
> > > >> --- a/fs/ocfs2/file.c
> > > >> +++ b/fs/ocfs2/file.c
> > > >> @@ -2453,12 +2453,14 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
> > > >>       struct address_space *mapping = out->f_mapping;
> > > >>       struct inode *inode = mapping->host;
> > > >>       struct splice_desc sd = {
> > > >> -             .total_len = len,
> > > >>               .flags = flags,
> > > >> -             .pos = *ppos,
> > > >>               .u.file = out,
> > > >>       };
> > > >> -
> > > >> +     ret = generic_write_checks(out, ppos, &len, 0);
> > > >> +     if(ret)
> > > >> +             return ret;
> > > >> +     sd.total_len = len;
> > > >> +     sd.pos = *ppos;
> > > >>
> > > >>       trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
> > > >>                       (unsigned long long)OCFS2_I(inode)->ip_blkno,
> > > >> diff --git a/fs/splice.c b/fs/splice.c
> > > >> index 4b5a5fa..f183f13 100644
> > > >> --- a/fs/splice.c
> > > >> +++ b/fs/splice.c
> > > >> @@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
> > > >>       struct address_space *mapping = out->f_mapping;
> > > >>       struct inode *inode = mapping->host;
> > > >>       struct splice_desc sd = {
> > > >> -             .total_len = len,
> > > >>               .flags = flags,
> > > >> -             .pos = *ppos,
> > > >>               .u.file = out,
> > > >>       };
> > > >>       ssize_t ret;
> > > >>
> > > >> +     ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
> > > >> +     if (ret)
> > > >> +             return ret;
> > > >> +     sd.total_len = len;
> > > >> +     sd.pos = *ppos;
> > > >> +
> > > >>       pipe_lock(pipe);
> > > >>
> > > >>       splice_from_pipe_begin(&sd);
> > > >>
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe stable" in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > > 
> > > Hi.
> > > 
> > > The original upstream fix for CVE-2014-7822 landed in 3.16, so a fix
> > > is also needed for the 3.14 stable branch.
> > 
> > I don't understand, what commit id are you talking about?  What patch
> > should be applied to 3.14-stable?
> 
> I think it's this one (from 3.10) which doesn't have an equivalent in 3.14 :
> 
>   commit 13d32f27d15c5c53254ed88e3d2042c34de1bfaa
>   Author: Ben Hutchings <ben@decadent.org.uk>
>   Date:   Thu Jan 29 02:50:33 2015 +0000
> 
>     splice: Apply generic position and size checks to each write
>     
>     commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
>     
>     We need to check the position and size of file writes against various
>     limits, using generic_write_check().  This was not being done for
>     the splice write path.  It was fixed upstream by commit 8d0207652cbe
>     ("->splice_write() via ->write_iter()") but we can't apply that.
>     
>     CVE-2014-7822
>     
>     Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>     [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
>     Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks, that makes sense, now applied.

greg k-h