From patchwork Tue Jun 14 02:36:04 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Lutomirski X-Patchwork-Id: 9174903 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A443B6044F for ; Tue, 14 Jun 2016 02:36:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 96CC32804C for ; Tue, 14 Jun 2016 02:36:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8BBDC281BE; Tue, 14 Jun 2016 02:36:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 320922804C for ; Tue, 14 Jun 2016 02:36:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1422876AbcFNCgL (ORCPT ); Mon, 13 Jun 2016 22:36:11 -0400 Received: from mail.kernel.org ([198.145.29.136]:58874 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1422658AbcFNCgJ (ORCPT ); Mon, 13 Jun 2016 22:36:09 -0400 Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F07D9200E8; Tue, 14 Jun 2016 02:36:07 +0000 (UTC) Received: from localhost (c-71-202-137-17.hsd1.ca.comcast.net [71.202.137.17]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0750C20160; Tue, 14 Jun 2016 02:36:06 +0000 (UTC) From: Andy Lutomirski To: Linux FS Devel , Al Viro Cc: Stephen Rothwell , Andrew Morton , Andy Lutomirski , stable@vger.kernel.org Subject: [PATCH v2 1/2] fs: Improve and simplify copy_mount_options Date: Mon, 13 Jun 2016 19:36:04 -0700 Message-Id: X-Mailer: git-send-email 2.7.4 In-Reply-To: References: In-Reply-To: References: X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP copy_mount_options always tries to copy a full page even if the string is shorter than a page. If the string starts part-way into a page and ends on the same page it started on, this means that copy_mount_options can overrun the supplied buffer and read into the next page. If the buffer came from userspace (USER_DS), then this could be a performance issue (reading across the page boundary could block). If the buffer came from the kernel (KERNEL_DS), then this could read an unrelated page, and the kernel can have pages mapped in that have side-effects. I noticed this due to a new sanity-check I'm working on that tries to make sure that we don't try to access nonexistent pages under KERNEL_DS. This is the same issue that was fixed by commit eca6f534e619 ("fs: fix overflow in sys_mount() for in-kernel calls"), but for copy_mount_options instead of copy_mount_string. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski --- fs/namespace.c | 56 ++++++++++++-------------------------------------------- 1 file changed, 12 insertions(+), 44 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 4fb1691b4355..8644f1961ca6 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2581,38 +2581,13 @@ static void shrink_submounts(struct mount *mnt) } } -/* - * Some copy_from_user() implementations do not return the exact number of - * bytes remaining to copy on a fault. But copy_mount_options() requires that. - * Note that this function differs from copy_from_user() in that it will oops - * on bad values of `to', rather than returning a short copy. +/* Copy the mount options string. Always returns a full page padded + * with nulls. If the input string is a full page or more, it may be + * truncated and the result will not be null-terminated. */ -static long exact_copy_from_user(void *to, const void __user * from, - unsigned long n) +void *copy_mount_options(const void __user *data) { - char *t = to; - const char __user *f = from; - char c; - - if (!access_ok(VERIFY_READ, from, n)) - return n; - - while (n) { - if (__get_user(c, f)) { - memset(t, 0, n); - break; - } - *t++ = c; - f++; - n--; - } - return n; -} - -void *copy_mount_options(const void __user * data) -{ - int i; - unsigned long size; + long size; char *copy; if (!data) @@ -2622,22 +2597,15 @@ void *copy_mount_options(const void __user * data) if (!copy) return ERR_PTR(-ENOMEM); - /* We only care that *some* data at the address the user - * gave us is valid. Just in case, we'll zero - * the remainder of the page. - */ - /* copy_from_user cannot cross TASK_SIZE ! */ - size = TASK_SIZE - (unsigned long)data; - if (size > PAGE_SIZE) - size = PAGE_SIZE; - - i = size - exact_copy_from_user(copy, data, size); - if (!i) { + size = strncpy_from_user(copy, data, PAGE_SIZE); + if (size < 0) { kfree(copy); - return ERR_PTR(-EFAULT); + return ERR_PTR(size); } - if (i != PAGE_SIZE) - memset(copy + i, 0, PAGE_SIZE - i); + + /* If we got less than PAGE_SIZE bytes, zero out the remainder. */ + memset(copy + size, 0, PAGE_SIZE - size); + return copy; }