From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:46518 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752957AbcLOByZ (ORCPT
        <rfc822;stable@vger.kernel.org>); Wed, 14 Dec 2016 20:54:25 -0500
Date: Thu, 15 Dec 2016 01:54:12 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Slaby <jslaby@suse.cz>, Greg KH <greg@kroah.com>,
        stable <stable@vger.kernel.org>
Subject: Re: [patch NOT added to 3.12 stable tree] Don't feed anything but
 regular iovec's to blk_rq_map_user_iov
Message-ID: <20161215015412.GQ1555@ZenIV.linux.org.uk>
References: <20161212150727.16486-1-jslaby@suse.cz>
 <20161212224937.GA32167@kroah.com>
 <7645f60e-6b45-828d-7964-033c9b4296df@suse.cz>
 <20161213152428.GA14683@kroah.com>
 <2924abbf-ceb2-cc73-1675-be8a07051c00@suse.cz>
 <CA+55aFxrWdGaYMCmPr712S2kbiWUDO9ED1EcTn1B+nhnSnY9TQ@mail.gmail.com>
 <20161213170539.GN1555@ZenIV.linux.org.uk>
 <CA+55aFyO-bZo24dT7m8PU8+vxsLEWDZzKrJyP=Tm7RAT=cCd0Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFyO-bZo24dT7m8PU8+vxsLEWDZzKrJyP=Tm7RAT=cCd0Q@mail.gmail.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Tue, Dec 13, 2016 at 09:09:25AM -0800, Linus Torvalds wrote:
> On Tue, Dec 13, 2016 at 9:05 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > I really doubt it - there might be something subtle I'd missed, but AFAICS
> > it is vulnerable to the scenario above.
> 
> Hmm. So maybe just add
> 
>         if (segment_eq(get_fs(), KERNEL_DS))
>                 return -EINVAL;
> 
> to blk_rq_map_user_iov()?

To sg_write(), actually.  And we need it both in old branches and in
the mainline - sg_new_write() problem applies in mainline as well, and
if nothing else, it allows to perform reads from arbitrary kernel
space address; I'm not sure how easy it is to see the value it has
fetched, but it certainly can do unpleasant things to memory-mapped
IO registers.

As the matter of fact, bsg_write() is no better - blk_fill_sgv4_hdr_rq()
is called before we get to blk_rq_map_user() where your test would make
it fail, and it does
        if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
                           hdr->request_len))   
                return -EFAULT;
with *hdr, including hrd->request, has come from the data fed to bsg_write().

So I think we should make both sg_write() and bsg_write() to fail as early
as possible when called with KERNEL_DS, mainline and all -stable branches.