From: Jens Axboe <axboe@kernel.dk>
To: Richard Weinberger <richard@nod.at>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
drbd-dev@lists.linbit.com, philipp.reisner@linbit.com,
viro@zeniv.linux.org.uk, christoph.lechleitner@iteg.at,
wolfgang.glas@iteg.at
Subject: Re: [PATCH] drbd: Fix kernel_sendmsg() usage
Date: Tue, 8 Nov 2016 09:52:04 -0700 [thread overview]
Message-ID: <20161108165204.GC2834@kernel.dk> (raw)
In-Reply-To: <497abc52-093f-17ea-5fb5-645030a23a01@nod.at>
On Tue, Nov 08 2016, Richard Weinberger wrote:
> On 08.11.2016 14:43, Lars Ellenberg wrote:
> > From 3a5859e696178e31a25e65de58c461046fc52beb Mon Sep 17 00:00:00 2001
> > From: Richard Weinberger <richard@nod.at>
> > Date: Tue, 8 Nov 2016 11:43:09 +0100
> > Subject: [PATCH] drbd: Fix kernel_sendmsg() usage - potential NULL deref
> > drbd: Fix kernel_sendmsg() usage - potential NULL deref
> >
> > Don't pass a size larger than iov_len to kernel_sendmsg().
> > Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
> > returns with rv < size.
> >
> > DRBD as external module has been around in the kernel 2.4 days already.
> > We used to be compatible to 2.4 and very early 2.6 kernels,
> > we used to use
> > rv = sock_sendmsg(sock, &msg, iov.iov_len);
> > then later changed to
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
> > when we should have used
> > rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);
> >
> > tcp_sendmsg() used to totally ignore the size parameter.
> > 57be5bd ip: convert tcp_sendmsg() to iov_iter primitives
> > changes that, and exposes our long standing error.
> >
> > Even with this error exposed, to trigger the bug, we would need to have
> > an environment (config or otherwise) causing us to not use sendpage()
> > for larger transfers, a flaky connection, and have it fail "just at the
> > right time". Apparently that was unlikely enough for most, so this went
> > unnoticed for years.
> >
> > Still, it is known to trigger at least some of these,
> > and suspected for the others:
> > [0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
> > [1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
> > [2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
> > [3] https://ubuntuforums.org/showthread.php?t=2336150
> > [4] http://e2.howsolveproblem.com/i/1175162/
> >
> > This should go into 4.9,
> > and into all stable branches since and including v4.0,
> > which is the first to contain the exposing change.
> >
> > It is correct for all stable branches older than that as well
> > (which contain the DRBD driver; which is 2.6.33 and up).
> >
> > It requires a small "conflict" resolution for v4.4 and earlier, with v4.5
> > we dropped the comment block immediately preceding the kernel_sendmsg().
> >
> > Cc: stable@vger.kernel.org
> > Cc: viro@zeniv.linux.org.uk
> > Cc: christoph.lechleitner@iteg.at
> > Cc: wolfgang.glas@iteg.at
> > Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
> > Signed-off-by: Richard Weinberger <richard@nod.at>
> > Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
>
> Changing my patch is perfectly fine, but please clearly state it.
> I.e. by adding something like that before your S-o-b.
> [Lars: Massaged patch to match my personal taste...]
Lars, are you sending a new one? If you do, add the stable tag as well.
--
Jens Axboe
next prev parent reply other threads:[~2016-11-08 16:52 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 13:43 [PATCH] drbd: Fix kernel_sendmsg() usage Lars Ellenberg
2016-11-08 13:55 ` Richard Weinberger
2016-11-08 16:52 ` Jens Axboe [this message]
2016-11-09 15:32 ` Lars Ellenberg
2016-11-09 15:47 ` Richard Weinberger
2016-11-09 16:51 ` [Drbd-dev] " Lars Ellenberg
2016-11-09 16:55 ` Jens Axboe
2016-11-09 21:52 ` [PATCH v2] drbd: Fix kernel_sendmsg() usage - potential NULL deref Lars Ellenberg
2016-11-09 23:41 ` Al Viro
2016-11-08 14:03 ` [PATCH] drbd: Fix kernel_sendmsg() usage Christoph Lechleitner
2016-11-08 15:49 ` Christoph Hellwig
2016-11-08 16:02 ` Richard Weinberger
2016-11-08 16:13 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161108165204.GC2834@kernel.dk \
--to=axboe@kernel.dk \
--cc=christoph.lechleitner@iteg.at \
--cc=drbd-dev@lists.linbit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=philipp.reisner@linbit.com \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wolfgang.glas@iteg.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).