mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2024-12-29 17:23:36 +00:00
Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
c39ac49f23
commit
8aec0f5d41
15
fs/compat.c
15
fs/compat.c
@ -558,6 +558,10 @@ ssize_t compat_rw_copy_check_uvector(int type,
|
||||
}
|
||||
*ret_pointer = iov;
|
||||
|
||||
ret = -EFAULT;
|
||||
if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* Single unix specification:
|
||||
* We should -EINVAL if an element length is not >= 0 and fitting an
|
||||
@ -1080,17 +1084,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
|
||||
if (!file->f_op)
|
||||
goto out;
|
||||
|
||||
ret = -EFAULT;
|
||||
if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
|
||||
goto out;
|
||||
|
||||
tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs,
|
||||
ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
|
||||
UIO_FASTIOV, iovstack, &iov);
|
||||
if (tot_len == 0) {
|
||||
ret = 0;
|
||||
if (ret <= 0)
|
||||
goto out;
|
||||
}
|
||||
|
||||
tot_len = ret;
|
||||
ret = rw_verify_area(type, file, pos, tot_len);
|
||||
if (ret < 0)
|
||||
goto out;
|
||||
|
@ -429,12 +429,6 @@ compat_process_vm_rw(compat_pid_t pid,
|
||||
if (flags != 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec)))
|
||||
goto out;
|
||||
|
||||
if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec)))
|
||||
goto out;
|
||||
|
||||
if (vm_write)
|
||||
rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt,
|
||||
UIO_FASTIOV, iovstack_l,
|
||||
@ -459,8 +453,6 @@ compat_process_vm_rw(compat_pid_t pid,
|
||||
kfree(iov_r);
|
||||
if (iov_l != iovstack_l)
|
||||
kfree(iov_l);
|
||||
|
||||
out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
|
||||
ARRAY_SIZE(iovstack),
|
||||
iovstack, &iov);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
goto err;
|
||||
if (ret == 0)
|
||||
goto no_payload_free;
|
||||
|
||||
ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
|
||||
|
||||
err:
|
||||
if (iov != iovstack)
|
||||
kfree(iov);
|
||||
return ret;
|
||||
|
Loading…
Reference in New Issue
Block a user