From patchwork Tue Oct 12 10:06:26 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sanchit Garg <sancgarg@linux.vnet.ibm.com>
X-Patchwork-Id: 247361
Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o9CA6nlC024730
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <patchwork-v9fs-devel@patchwork.kernel.org>;
	Tue, 12 Oct 2010 10:07:15 GMT
Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.69)
	(envelope-from <v9fs-developer-bounces@lists.sourceforge.net>)
	id 1P5bkm-00007D-NZ; Tue, 12 Oct 2010 10:06:40 +0000
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.69)
	(envelope-from <sancgarg@linux.vnet.ibm.com>) id 1P5bkl-000071-1m
	for v9fs-developer@lists.sourceforge.net;
	Tue, 12 Oct 2010 10:06:39 +0000
X-ACL-Warn: 
Received: from e28smtp04.in.ibm.com ([122.248.162.4])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps
	(TLSv1:AES256-SHA:256) (Exim 4.69) id 1P5bkj-0004Oe-9c
	for v9fs-developer@lists.sourceforge.net;
	Tue, 12 Oct 2010 10:06:38 +0000
Received: from d28relay03.in.ibm.com (d28relay03.in.ibm.com [9.184.220.60])
	by e28smtp04.in.ibm.com (8.14.4/8.13.1) with ESMTP id
	o9CA6Rem015291 for <v9fs-developer@lists.sourceforge.net>;
	Tue, 12 Oct 2010 15:36:27 +0530
Received: from d28av04.in.ibm.com (d28av04.in.ibm.com [9.184.220.66])
	by d28relay03.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	o9CA6RVh4423830 for <v9fs-developer@lists.sourceforge.net>;
	Tue, 12 Oct 2010 15:36:27 +0530
Received: from d28av04.in.ibm.com (loopback [127.0.0.1])
	by d28av04.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	o9CA6QLQ012906 for <v9fs-developer@lists.sourceforge.net>;
	Tue, 12 Oct 2010 21:06:27 +1100
Received: from sancgarg.in.ibm.com ([9.124.35.170])
	by d28av04.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id
	o9CA6QJx012896; Tue, 12 Oct 2010 21:06:26 +1100
To: v9fs-developer@lists.sourceforge.net
From: Sanchit Garg <sancgarg@linux.vnet.ibm.com>
Date: Tue, 12 Oct 2010 15:36:26 +0530
Message-ID: <20101012100626.1722.68762.stgit@sancgarg.in.ibm.com>
User-Agent: StGit/0.15
MIME-Version: 1.0
X-Spam-Score: -0.8 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain -0.7 AWL AWL: From: address is in the auto white-list
X-Headers-End: 1P5bkj-0004Oe-9c
Subject: [V9fs-developer] [PATCH] Read/Write from bad user space buffer
X-BeenThere: v9fs-developer@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v9fs-developer.lists.sourceforge.net>
List-Unsubscribe: 
 <https://lists.sourceforge.net/lists/listinfo/v9fs-developer>,
	<mailto:v9fs-developer-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <https://lists.sourceforge.net/lists/private/v9fs-developer>
List-Post: <mailto:v9fs-developer@lists.sourceforge.net>
List-Help: <mailto:v9fs-developer-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/v9fs-developer>,
	<mailto:v9fs-developer-request@lists.sourceforge.net?subject=subscribe>
Errors-To: v9fs-developer-bounces@lists.sourceforge.net
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]);
	Tue, 12 Oct 2010 10:07:15 +0000 (UTC)


diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 3a4352f..b96cc0e 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -379,6 +379,42 @@ v9fs_file_readn(struct file *filp, char *data, char __user *udata, u32 count,
 }
 
 /**
+ * Helper function to check if the write if going to be done outside the
+ * accessible address space.
+ *
+ */
+
+ssize_t p9_check_if_accessible(const char __user *data,
+			   size_t count, loff_t *offset)
+{
+	struct iovec iov = { .iov_base = (void __user *)data,
+		 .iov_len = count };
+	struct iov_iter i;
+	unsigned long nr_segs = 1;
+	size_t fcount, ocount = 0;
+	ssize_t err;
+	pgoff_t index;
+	unsigned long diff, bytes;
+
+	err = generic_segment_checks(&iov, &nr_segs, &ocount, VERIFY_READ);
+
+	if (err)
+		return err;
+
+	fcount = ocount;
+	iov_iter_init(&i, &iov, nr_segs, fcount, 0);
+	diff = (*offset & (PAGE_CACHE_SIZE - 1));
+	index = *offset >> PAGE_CACHE_SHIFT;
+	bytes = min_t(unsigned long, PAGE_CACHE_SIZE - diff,
+					iov_iter_count(&i));
+
+	if (iov_iter_fault_in_readable(&i, bytes))
+		return -EFAULT;
+
+	return 0;
+}
+
+/**
  * v9fs_file_read - read from a file
  * @filp: file pointer to read
  * @udata: user data buffer to read data into
@@ -394,8 +430,15 @@ v9fs_file_read(struct file *filp, char __user *udata, size_t count,
 	int ret;
 	struct p9_fid *fid;
 	size_t size;
+	ssize_t err;
 
 	P9_DPRINTK(P9_DEBUG_VFS, "count %zu offset %lld\n", count, *offset);
+
+	err = p9_check_if_accessible(udata, count, offset);
+
+	if (err < 0)
+		return err;
+
 	fid = filp->private_data;
 
 	size = fid->iounit ? fid->iounit : fid->clnt->msize - P9_IOHDRSZ;
@@ -431,10 +474,16 @@ v9fs_file_write(struct file *filp, const char __user * data,
 	struct inode *inode = filp->f_path.dentry->d_inode;
 	loff_t origin = *offset;
 	unsigned long pg_start, pg_end;
+	ssize_t err;
 
 	P9_DPRINTK(P9_DEBUG_VFS, "data %p count %d offset %x\n", data,
 		(int)count, (int)*offset);
 
+	err = p9_check_if_accessible(data, count, offset);
+
+	if (err < 0)
+		return err;
+
 	fid = filp->private_data;
 	clnt = fid->clnt;