summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2014-02-14 07:20:35 -0500
committerBen Hutchings <ben@decadent.org.uk>2014-04-09 02:20:46 +0100
commitb1a292f3ccbbfe864cb4931e8fed4baea6b17eb8 (patch)
treefd9542c45dcee330716a2dc2266227574d98b802
parentf5652b31f13ab198ed6802349d6b472e222596c2 (diff)
downloadlwn-b1a292f3ccbbfe864cb4931e8fed4baea6b17eb8.tar.gz
lwn-b1a292f3ccbbfe864cb4931e8fed4baea6b17eb8.zip
cifs: ensure that uncached writes handle unmapped areas correctly
commit 5d81de8e8667da7135d3a32a964087c0faf5483f upstream. It's possible for userland to pass down an iovec via writev() that has a bogus user pointer in it. If that happens and we're doing an uncached write, then we can end up getting less bytes than we expect from the call to iov_iter_copy_from_user. This is CVE-2014-0069 cifs_iovec_write isn't set up to handle that situation however. It'll blindly keep chugging through the page array and not filling those pages with anything useful. Worse yet, we'll later end up with a negative number in wdata->tailsz, which will confuse the sending routines and cause an oops at the very least. Fix this by having the copy phase of cifs_iovec_write stop copying data in this situation and send the last write as a short one. At the same time, we want to avoid sending a zero-length write to the server, so break out of the loop and set rc to -EFAULT if that happens. This also allows us to handle the case where no address in the iovec is valid. [Note: Marking this for stable on v3.4+ kernels, but kernels as old as v2.6.38 may have a similar problem and may need similar fix] Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru> Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com> [bwh: Backported to 3.2: - Adjust context - s/nr_pages/npages/ - s/wdata->pages/pages/ - In case of an error with no data copied, we must kunmap() page 0, but in neither case should we free anything else] Thanks to Raphael Geissert for an independent backport that showed some bugs in my first version.] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r--fs/cifs/file.c34
1 files changed, 31 insertions, 3 deletions
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index c55808edddf4..aa05d5e6c3ae 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -2107,7 +2107,7 @@ cifs_iovec_write(struct file *file, const struct iovec *iov,
{
unsigned int written;
unsigned long num_pages, npages, i;
- size_t copied, len, cur_len;
+ size_t bytes, copied, len, cur_len;
ssize_t total_written = 0;
struct kvec *to_send;
struct page **pages;
@@ -2165,17 +2165,45 @@ cifs_iovec_write(struct file *file, const struct iovec *iov,
do {
size_t save_len = cur_len;
for (i = 0; i < npages; i++) {
- copied = min_t(const size_t, cur_len, PAGE_CACHE_SIZE);
+ bytes = min_t(const size_t, cur_len, PAGE_CACHE_SIZE);
copied = iov_iter_copy_from_user(pages[i], &it, 0,
- copied);
+ bytes);
cur_len -= copied;
iov_iter_advance(&it, copied);
to_send[i+1].iov_base = kmap(pages[i]);
to_send[i+1].iov_len = copied;
+ /*
+ * If we didn't copy as much as we expected, then that
+ * may mean we trod into an unmapped area. Stop copying
+ * at that point. On the next pass through the big
+ * loop, we'll likely end up getting a zero-length
+ * write and bailing out of it.
+ */
+ if (copied < bytes)
+ break;
}
cur_len = save_len - cur_len;
+ /*
+ * If we have no data to send, then that probably means that
+ * the copy above failed altogether. That's most likely because
+ * the address in the iovec was bogus. Set the rc to -EFAULT,
+ * free anything we allocated and bail out.
+ */
+ if (!cur_len) {
+ kunmap(pages[0]);
+ if (!total_written)
+ total_written = -EFAULT;
+ break;
+ }
+
+ /*
+ * i + 1 now represents the number of pages we actually used in
+ * the copy phase above.
+ */
+ npages = min(npages, i + 1);
+
do {
if (open_file->invalidHandle) {
rc = cifs_reopen_file(open_file, false);