From patchwork Sun Apr 2 23:34:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Nicholas A. Bellinger" X-Patchwork-Id: 9658685 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3A58C6032D for ; Sun, 2 Apr 2017 23:34:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C6302832D for ; Sun, 2 Apr 2017 23:34:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 20F542840B; Sun, 2 Apr 2017 23:34:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95A0D2832D for ; Sun, 2 Apr 2017 23:34:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751499AbdDBXeQ (ORCPT ); Sun, 2 Apr 2017 19:34:16 -0400 Received: from mail.linux-iscsi.org ([67.23.28.174]:52914 "EHLO linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751457AbdDBXeP (ORCPT ); Sun, 2 Apr 2017 19:34:15 -0400 Received: from [172.16.2.183] (50-225-59-10-static.hfc.comcastbusiness.net [50.225.59.10]) (using SSLv3 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nab) by linux-iscsi.org (Postfix) with ESMTPSA id ED84940B1B; Sun, 2 Apr 2017 23:34:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=linux-iscsi.org; s=default.private; t=1491176065; bh=lKErOxTI/EvR4xEB4qGe4tnkssINAIR donXyQBdKMpw=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To: References:Content-Type:Mime-Version:Content-Transfer-Encoding; b=Cs+yZ/txLzu3J4lIkn9LHo4WQFZ9b9D+zaMkyp/i/Cjrnv5fXHB5XlLTG1qYRDlmt QMDTAN0Xk3CVoULzzp3oR0Ddj9TvZXVt+F7nQFfL3pGqu1W+QN5PNmdufDZs1PClB75 xVy02LbU7N+NB4W2RxOIXwRfXgFH1nOeZDrkK6I= Message-ID: <1491176054.8846.65.camel@haakon3.risingtidesystems.com> Subject: Re: [PATCH 1/2] tcm_fileio: Prevent information leak for short reads From: "Nicholas A. Bellinger" To: Dmitry Monakhov Cc: target-devel@vger.kernel.org Date: Sun, 02 Apr 2017 16:34:14 -0700 In-Reply-To: <1490975616-27057-1-git-send-email-dmonakhov@openvz.org> References: <1490975616-27057-1-git-send-email-dmonakhov@openvz.org> X-Mailer: Evolution 3.4.4-1 Mime-Version: 1.0 Sender: target-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: target-devel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Hi Dmitry, On Fri, 2017-03-31 at 19:53 +0400, Dmitry Monakhov wrote: > If we failed to read data from backing file (probably because some one > truncate file under us), we must zerofill cmd's data, otherwise it will > be returned as is. Most likely cmd's data are unitialized pages from > page cache. This result in information leak. > > testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5 > Signed-off-by: Dmitry Monakhov > --- > drivers/target/target_core_file.c | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) > Nice catch on this one. Just a small comment below. > diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c > index 87aa376..d69908d 100644 > --- a/drivers/target/target_core_file.c > +++ b/drivers/target/target_core_file.c > @@ -295,17 +294,27 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd, > pr_err("%s() returned %d, expecting %u for " > "S_ISBLK\n", __func__, ret, > data_length); > - return (ret < 0 ? ret : -EINVAL); > + if (ret >= 0) > + ret = -EINVAL; > } > } else { > if (ret < 0) { > pr_err("%s() returned %d for non S_ISBLK\n", > __func__, ret); > - return ret; > + } else if (ret != data_length) { > + /* > + * Short read case: > + * Probably some one truncate file under us. > + * We must explicitly zero sg-pages to prevent > + * expose uninizialized pages to userspace. > + */ > + BUG_ON(ret > data_length); > + ret += iov_iter_zero(data_length - ret, &iter); > } A BUG_ON for this is overkill. No need to kill the whole node. ;) Applying + squashing the follow atop your original patch to just return -EINVAL and fail se_cmd instead. Thank you, --- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c index d69908d..dd8f320 100644 --- a/drivers/target/target_core_file.c +++ b/drivers/target/target_core_file.c @@ -308,8 +308,10 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd, * We must explicitly zero sg-pages to prevent * expose uninizialized pages to userspace. */ - BUG_ON(ret > data_length); - ret += iov_iter_zero(data_length - ret, &iter); + if (ret < data_length) + ret += iov_iter_zero(data_length - ret, &iter); + else + ret = -EINVAL; } } }