From patchwork Fri Mar 31 15:53:35 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Monakhov <dmonakhov@openvz.org>
X-Patchwork-Id: 9656655
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D322E60349 for <patchwork-target-devel@patchwork.kernel.org>;
	Fri, 31 Mar 2017 15:53:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C39392867F
	for <patchwork-target-devel@patchwork.kernel.org>;
	Fri, 31 Mar 2017 15:53:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B6CA4286C8; Fri, 31 Mar 2017 15:53:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3C8F32867F
	for <patchwork-target-devel@patchwork.kernel.org>;
	Fri, 31 Mar 2017 15:53:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933152AbdCaPxm (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Fri, 31 Mar 2017 11:53:42 -0400
Received: from mail-lf0-f66.google.com ([209.85.215.66]:35290 "EHLO
	mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933098AbdCaPxl (ORCPT
	<rfc822;target-devel@vger.kernel.org>);
	Fri, 31 Mar 2017 11:53:41 -0400
Received: by mail-lf0-f66.google.com with SMTP id v2so7725976lfi.2
	for <target-devel@vger.kernel.org>;
	Fri, 31 Mar 2017 08:53:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=YfN9ajbsUvAsFyV5fAUrYJ0BYV7wxWWcRy9CzuS7yFM=;
	b=QTNZS1m6RSf5zioJiBU0bYKsEbnehiCS4nYNhRAJOEmIHnq22IWMJXqZCuTSfcuvUA
	H7E9gtF+fu6DowdNeBvnU010uWNu7jS8yNixwDEh6sFcifxe/f4wNYS+Fxk6ZVPbF0Hn
	Yet0h1h2xjcun4TOY0z/qjIXJuG8ckQunnGrlZplj8kJoR2K14rMOAKwmdSptrrYYbD2
	hVd18YxjdLL/RFaP7h81CEodEYpyNwkjhUc+sFBAsMHH+vwgp3MOUjQZvtJyr8ZcPl6o
	Y+u5Z+93bdEEWJFOC6dqT1GRKENfPwZmhsy/M9blfzobCmxpFdhZBV54mfino/nSuwo7
	s7Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=YfN9ajbsUvAsFyV5fAUrYJ0BYV7wxWWcRy9CzuS7yFM=;
	b=Pt7lVImKGfCueGkW128zrunbv00iqQT5UtsvP2stpkQeYxLGkPncNAUjmFNVuTYU+n
	o0JzVsV3tD4eLON1PCe0g1acAE0baMJR2L3JPEE07xkF8wbtisYW1cEJ2RV1mUrZy9GR
	hYzt9yvEXfuVidTGAv7gHmGB1o/6DjHAOEJOY8ZSyNJLXdrLAYPAaRPZOZqoLfxW+y78
	iwpCRn63BQzP8HY9tyM39Xf+2FheF0JW++kI4WtrKGI1MnUCii+PsYsETrHiS9nQ1CqG
	VCB36a7DtvuOvxr9bTkTAoGb6sz1XsTaWK1QjMX4bQ9tn4D6N5s9mB6DxA9Py7awoiW4
	g0/w==
X-Gm-Message-State: 
 AFeK/H0/+wHbcCJBeIl1u3hK63151HYcxFKuqaCrGC6QeBLF/vNBvFGU04JXKzyTOJtntQ==
X-Received: by 10.25.39.11 with SMTP id n11mr1244016lfn.51.1490975619028;
	Fri, 31 Mar 2017 08:53:39 -0700 (PDT)
Received: from smtp.gmail.com (msk-vpn.virtuozzo.com. [195.214.232.6])
	by smtp.gmail.com with ESMTPSA id
	u16sm987674ljd.6.2017.03.31.08.53.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 31 Mar 2017 08:53:38 -0700 (PDT)
From: Dmitry Monakhov <dmonakhov@openvz.org>
To: target-devel@vger.kernel.org
Cc: Dmitry Monakhov <dmonakhov@openvz.org>
Subject: [PATCH 1/2] tcm_fileio: Prevent information leak for short reads
Date: Fri, 31 Mar 2017 19:53:35 +0400
Message-Id: <1490975616-27057-1-git-send-email-dmonakhov@openvz.org>
X-Mailer: git-send-email 1.9.3
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If we failed to read data from backing file (probably because some one
truncate file under us), we must zerofill cmd's data, otherwise it will
be returned as is. Most likely cmd's data are unitialized pages from
page cache. This result in information leak.

testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
---
 drivers/target/target_core_file.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
index 87aa376..d69908d 100644
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -277,12 +277,11 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd,
 	else
 		ret = vfs_iter_read(fd, &iter, &pos);
 
-	kfree(bvec);
-
 	if (is_write) {
 		if (ret < 0 || ret != data_length) {
 			pr_err("%s() write returned %d\n", __func__, ret);
-			return (ret < 0 ? ret : -EINVAL);
+			if (ret >= 0)
+				ret = -EINVAL;
 		}
 	} else {
 		/*
@@ -295,17 +294,27 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd,
 				pr_err("%s() returned %d, expecting %u for "
 						"S_ISBLK\n", __func__, ret,
 						data_length);
-				return (ret < 0 ? ret : -EINVAL);
+				if (ret >= 0)
+					ret = -EINVAL;
 			}
 		} else {
 			if (ret < 0) {
 				pr_err("%s() returned %d for non S_ISBLK\n",
 						__func__, ret);
-				return ret;
+			} else if (ret != data_length) {
+				/*
+				 * Short read case:
+				 * Probably some one truncate file under us.
+				 * We must explicitly zero sg-pages to prevent
+				 * expose uninizialized pages to userspace.
+				 */
+				BUG_ON(ret > data_length);
+				ret += iov_iter_zero(data_length - ret, &iter);
 			}
 		}
 	}
-	return 1;
+	kfree(bvec);
+	return ret;
 }
 
 static sense_reason_t