From patchwork Fri Jan 24 06:25:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Averin X-Patchwork-Id: 11349789 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD4BC13A4 for ; Fri, 24 Jan 2020 06:25:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A63F32071A for ; Fri, 24 Jan 2020 06:25:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727250AbgAXGZk (ORCPT ); Fri, 24 Jan 2020 01:25:40 -0500 Received: from relay.sw.ru ([185.231.240.75]:51990 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726173AbgAXGZk (ORCPT ); Fri, 24 Jan 2020 01:25:40 -0500 Received: from vvs-ws.sw.ru ([172.16.24.21]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1iusP1-0007tx-MM; Fri, 24 Jan 2020 09:25:11 +0300 From: Vasily Averin Subject: [PATCH 0/1] keys: seq_file .next functions should increase position index To: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org Cc: David Howells , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" Message-ID: Date: Fri, 24 Jan 2020 09:25:09 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Language: en-US Sender: keyrings-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org In Aug 2018 NeilBrown noticed commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") "Some ->next functions do not increment *pos when they return NULL... Note that such ->next functions are buggy and should be fixed. A simple demonstration is dd if=/proc/swaps bs=1000 skip=1 Choose any block size larger than the size of /proc/swaps. This will always show the whole last line of /proc/swaps" Described problem is still actual. If you make lseek into middle of last output line following read will output end of last line and whole last line once again. $ dd if=/proc/swaps bs=1 # usual output Filename Type Size Used Priority /dev/dm-0 partition 4194812 97536 -2 104+0 records in 104+0 records out 104 bytes copied $ dd if=/proc/swaps bs=40 skip=1 # last line was generated twice dd: /proc/swaps: cannot skip to specified offset v/dm-0 partition 4194812 97536 -2 /dev/dm-0 partition 4194812 97536 -2 3+1 records in 3+1 records out 131 bytes copied There are lot of other affected files, I've found 30+ including /proc/net/ip_tables_matches and /proc/sysvipc/* Following patch fixes the problem in keys-related file. https://bugzilla.kernel.org/show_bug.cgi?id=206283 Vasily Averin (1): proc_keys_next should increase position index security/keys/proc.c | 2 ++ 1 file changed, 2 insertions(+)