From patchwork Wed Jan 22 13:00:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe Leroy X-Patchwork-Id: 11345683 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9189E921 for ; Wed, 22 Jan 2020 13:00:44 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5493F20678 for ; Wed, 22 Jan 2020 13:00:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=c-s.fr header.i=@c-s.fr header.b="Id0p0/pu" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5493F20678 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=c-s.fr Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BBA446B0003; Wed, 22 Jan 2020 08:00:40 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id B62106B0007; Wed, 22 Jan 2020 08:00:40 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A2C1E6B000A; Wed, 22 Jan 2020 08:00:40 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0137.hostedemail.com [216.40.44.137]) by kanga.kvack.org (Postfix) with ESMTP id 75CA86B0003 for ; Wed, 22 Jan 2020 08:00:40 -0500 (EST) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 20394180AD802 for ; Wed, 22 Jan 2020 13:00:40 +0000 (UTC) X-FDA: 76405279440.22.sea61_5ad46e162d21 X-Spam-Summary: 2,0,0,a2b51f196ea40ef8,d41d8cd98f00b204,christophe.leroy@c-s.fr,:benh@kernel.crashing.org:paulus@samba.org:mpe@ellerman.id.au:torvalds@linux-foundation.org:viro@zeniv.linux.org.uk:akpm@linux-foundation.org:linux-kernel@vger.kernel.org:linuxppc-dev@lists.ozlabs.org:linux-fsdevel@vger.kernel.org:,RULES_HIT:41:69:355:379:800:960:988:989:1260:1261:1345:1437:1534:1542:1711:1730:1747:1777:1792:2194:2199:2393:2553:2559:2562:2901:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:4321:5007:6261:6653:8634:9040:10004:11026:11658:11914:12048:12296:12297:12555:12679:12895:13255:14096:14181:14394:14721:21080:21433:21451:21627:21990:30029:30051:30054:30090,0,RBL:93.17.236.30:@c-s.fr:.lbl8.mailshell.net-62.14.5.100 64.201.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:172,LUA_SUMMARY:none X-HE-Tag: sea61_5ad46e162d21 X-Filterd-Recvd-Size: 4907 Received: from pegase1.c-s.fr (pegase1.c-s.fr [93.17.236.30]) by imf46.hostedemail.com (Postfix) with ESMTP for ; Wed, 22 Jan 2020 13:00:38 +0000 (UTC) Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 482lrM6r0Bz9v4T1; Wed, 22 Jan 2020 14:00:35 +0100 (CET) Authentication-Results: localhost; dkim=pass reason="1024-bit key; insecure key" header.d=c-s.fr header.i=@c-s.fr header.b=Id0p0/pu; dkim-adsp=pass; dkim-atps=neutral X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id ER69ev4z_Xec; Wed, 22 Jan 2020 14:00:35 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 482lrM51BQz9v4T0; Wed, 22 Jan 2020 14:00:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c-s.fr; s=mail; t=1579698035; bh=IYuSNHph3xeKS9BqJ4P2sNK404BWtsrlVrUfzRg8JZc=; h=From:Subject:To:Cc:Date:From; b=Id0p0/punrqkIoihRIjlOTDIJUf8EAaYY/45qzeAcFcpIvcYgWSV7dABhL2qWd+Rd OrZCEwEeHWaDFQsMYorxbrJexxNque0AKSTnLknGxGBn0IXYhJ8P0sIFr5JDMOEa91 sZ3Li+AyYuqq/Ks/DIu38NLCzSiqIwLU7TDPZFEo= Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id CD87C8B803; Wed, 22 Jan 2020 14:00:36 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id shOjK1liW11x; Wed, 22 Jan 2020 14:00:36 +0100 (CET) Received: from po14934vm.idsi0.si.c-s.fr (po15451.idsi0.si.c-s.fr [172.25.230.100]) by messagerie.si.c-s.fr (Postfix) with ESMTP id D917D8B7FA; Wed, 22 Jan 2020 14:00:35 +0100 (CET) Received: by po14934vm.idsi0.si.c-s.fr (Postfix, from userid 0) id 9179F651E0; Wed, 22 Jan 2020 13:00:35 +0000 (UTC) Message-Id: From: Christophe Leroy Subject: [PATCH v1 1/6] fs/readdir: Fix filldir() and filldir64() use of user_access_begin() To: Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Linus Torvalds , Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Date: Wed, 22 Jan 2020 13:00:35 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Some architectures grand full access to userspace regardless of the address/len passed to user_access_begin(), but other architectures only grand access to the requested area. For exemple, on 32 bits powerpc (book3s/32), access is granted by segments of 256 Mbytes. Modify filldir() and filldir64() to request the real area they need to get access to. Fixes: 9f79b78ef744 ("Convert filldir[64]() from __put_user() to unsafe_put_user()") Signed-off-by: Christophe Leroy --- fs/readdir.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/fs/readdir.c b/fs/readdir.c index d26d5ea4de7b..ef04e5e76c59 100644 --- a/fs/readdir.c +++ b/fs/readdir.c @@ -236,15 +236,11 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen, if (dirent && signal_pending(current)) return -EINTR; - /* - * Note! This range-checks 'previous' (which may be NULL). - * The real range was checked in getdents - */ - if (!user_access_begin(dirent, sizeof(*dirent))) + if (dirent && unlikely(put_user(offset, &dirent->d_off))) goto efault; - if (dirent) - unsafe_put_user(offset, &dirent->d_off, efault_end); dirent = buf->current_dir; + if (!user_access_begin(dirent, reclen)) + goto efault; unsafe_put_user(d_ino, &dirent->d_ino, efault_end); unsafe_put_user(reclen, &dirent->d_reclen, efault_end); unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); @@ -323,15 +319,11 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen, if (dirent && signal_pending(current)) return -EINTR; - /* - * Note! This range-checks 'previous' (which may be NULL). - * The real range was checked in getdents - */ - if (!user_access_begin(dirent, sizeof(*dirent))) + if (dirent && unlikely(put_user(offset, &dirent->d_off))) goto efault; - if (dirent) - unsafe_put_user(offset, &dirent->d_off, efault_end); dirent = buf->current_dir; + if (!user_access_begin(dirent, reclen)) + goto efault; unsafe_put_user(ino, &dirent->d_ino, efault_end); unsafe_put_user(reclen, &dirent->d_reclen, efault_end); unsafe_put_user(d_type, &dirent->d_type, efault_end);