From patchwork Fri Jun 10 20:11:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Lutomirski X-Patchwork-Id: 9170419 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1E294607D9 for ; Fri, 10 Jun 2016 20:11:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 105BC28325 for ; Fri, 10 Jun 2016 20:11:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 04F492833F; Fri, 10 Jun 2016 20:11:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 99A69281F9 for ; Fri, 10 Jun 2016 20:11:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752607AbcFJULe (ORCPT ); Fri, 10 Jun 2016 16:11:34 -0400 Received: from mail.kernel.org ([198.145.29.136]:59814 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751777AbcFJULc (ORCPT ); Fri, 10 Jun 2016 16:11:32 -0400 Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id ADF2A20279; Fri, 10 Jun 2016 20:11:30 +0000 (UTC) Received: from localhost (c-71-202-137-17.hsd1.ca.comcast.net [71.202.137.17]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C22C920295; Fri, 10 Jun 2016 20:11:29 +0000 (UTC) From: Andy Lutomirski To: Linux FS Devel , Al Viro Cc: Stephen Rothwell , Andrew Morton , Andy Lutomirski , stable@vger.kernel.org Subject: [PATCH 1/2] fs: Improve and simplify copy_mount_options Date: Fri, 10 Jun 2016 13:11:24 -0700 Message-Id: <65eb3a26a05a46d1db4fd290516edf03dff52176.1465589343.git.luto@kernel.org> X-Mailer: git-send-email 2.5.5 In-Reply-To: References: In-Reply-To: References: X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP copy_mount_options always tries to copy a full page even if the string is shorter than a page. If the string starts part-way into a page and ends on the same page it started on, this means that copy_mount_options can overrun the supplied buffer and read into the next page. If the buffer came from userspace (USER_DS), then this could be a performance issue (reading across the page boundary could block). If the buffer came from the kernel (KERNEL_DS), then this could read an unrelated page, and the kernel can have pages mapped in that have side-effects. I noticed this due to a new sanity-check I'm working on that tries to make sure that we don't try to access nonexistent pages under KERNEL_DS. This is the same issue that was fixed by commit eca6f534e619 ("fs: fix overflow in sys_mount() for in-kernel calls"), but for copy_mount_options instead of copy_mount_string. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski --- fs/namespace.c | 58 ++++++++++++---------------------------------------------- 1 file changed, 12 insertions(+), 46 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 4fb1691b4355..dfb5f370f2fa 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2581,38 +2581,13 @@ static void shrink_submounts(struct mount *mnt) } } -/* - * Some copy_from_user() implementations do not return the exact number of - * bytes remaining to copy on a fault. But copy_mount_options() requires that. - * Note that this function differs from copy_from_user() in that it will oops - * on bad values of `to', rather than returning a short copy. +/* Copy the mount options string. Always returns a full page padded + * with nulls. If the input string is a full page or more, it may be + * truncated and the result will not be null-terminated. */ -static long exact_copy_from_user(void *to, const void __user * from, - unsigned long n) -{ - char *t = to; - const char __user *f = from; - char c; - - if (!access_ok(VERIFY_READ, from, n)) - return n; - - while (n) { - if (__get_user(c, f)) { - memset(t, 0, n); - break; - } - *t++ = c; - f++; - n--; - } - return n; -} - -void *copy_mount_options(const void __user * data) +void *copy_mount_options(const void __user *data) { - int i; - unsigned long size; + long size; char *copy; if (!data) @@ -2622,22 +2597,13 @@ void *copy_mount_options(const void __user * data) if (!copy) return ERR_PTR(-ENOMEM); - /* We only care that *some* data at the address the user - * gave us is valid. Just in case, we'll zero - * the remainder of the page. - */ - /* copy_from_user cannot cross TASK_SIZE ! */ - size = TASK_SIZE - (unsigned long)data; - if (size > PAGE_SIZE) - size = PAGE_SIZE; - - i = size - exact_copy_from_user(copy, data, size); - if (!i) { - kfree(copy); - return ERR_PTR(-EFAULT); - } - if (i != PAGE_SIZE) - memset(copy + i, 0, PAGE_SIZE - i); + size = strncpy_from_user(copy, data, PAGE_SIZE); + if (size < 0) + return ERR_PTR(size); + + /* If we got less than PAGE_SIZE bytes, zero out the remainder. */ + memset(copy + size, 0, PAGE_SIZE); + return copy; }