Re: [PATCH] Fix: compat_rw_copy_check_uvector() misuse in aio,readv, writev, and security keys

From: Mathieu Desnoyers
Date: Mon Mar 11 2013 - 16:53:55 EST


* Greg Kroah-Hartman (gregkh@xxxxxxxxxxxxxxxxxxx) wrote:
> On Mon, Feb 25, 2013 at 10:20:36AM -0500, Mathieu Desnoyers wrote:
> > Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
> > compat_process_vm_rw() shows that the compatibility code requires an
> > explicit "access_ok()" check before calling
> > compat_rw_copy_check_uvector(). The same difference seems to appear when
> > we compare fs/read_write.c:do_readv_writev() to
> > fs/compat.c:compat_do_readv_writev().
> >
> > This subtle difference between the compat and non-compat requirements
> > should probably be debated, as it seems to be error-prone. In fact,
> > there are two others sites that use this function in the Linux kernel,
> > and they both seem to get it wrong:
> >
> > Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
> > also ends up calling compat_rw_copy_check_uvector() through
> > aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
> > be missing. Same situation for
> > security/keys/compat.c:compat_keyctl_instantiate_key_iov().
> >
> > I propose that we add the access_ok() check directly into
> > compat_rw_copy_check_uvector(), so callers don't have to worry about it,
> > and it therefore makes the compat call code similar to its non-compat
> > counterpart. Place the access_ok() check in the same location where
> > copy_from_user() can trigger a -EFAULT error in the non-compat code, so
> > the ABI behaviors are alike on both compat and non-compat.
> >
> > While we are here, fix compat_do_readv_writev() so it checks for
> > compat_rw_copy_check_uvector() negative return values.
> >
> > And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
> > handling.
> >
> > Acked-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > Acked-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> > Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
> > ---
> > fs/compat.c | 15 +++++++--------
> > mm/process_vm_access.c | 8 --------
> > security/keys/compat.c | 4 ++--
> > 3 files changed, 9 insertions(+), 18 deletions(-)
>
> What ever happened to this patch? I don't see it in Linus's tree, was
> it not correct?

Not sure. My guess would be that there is missing proof that I actually
tested the patch by generating a OOPS splat and proof that it actually
fixes it. I mainly tested that it does not break _correct_ use of aio,
but I did not have enough time to created my own custom aio lib to
generate the issue. So if this is what is expected, I might need a bit
of help on this front. Testing odd behavior through libaio proved to
non-straightforward.

Thoughts ?

Thanks,

Mathieu

>
> thanks,
>
> greg k-h

--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/