ublk: don't allow user copy for unprivileged device
UBLK_F_USER_COPY requires userspace to call write() on ublk char
device for filling request buffer, and unprivileged device can't
be trusted.
So don't allow user copy for unprivileged device.
Cc: stable@vger.kernel.org
Fixes: 1172d5b8be
("ublk: support user copy")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20241016134847.2911721-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
e972b08b91
commit
42aafd8b48
@ -2380,10 +2380,19 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd)
|
|||||||
* TODO: provide forward progress for RECOVERY handler, so that
|
* TODO: provide forward progress for RECOVERY handler, so that
|
||||||
* unprivileged device can benefit from it
|
* unprivileged device can benefit from it
|
||||||
*/
|
*/
|
||||||
if (info.flags & UBLK_F_UNPRIVILEGED_DEV)
|
if (info.flags & UBLK_F_UNPRIVILEGED_DEV) {
|
||||||
info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE |
|
info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE |
|
||||||
UBLK_F_USER_RECOVERY);
|
UBLK_F_USER_RECOVERY);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For USER_COPY, we depends on userspace to fill request
|
||||||
|
* buffer by pwrite() to ublk char device, which can't be
|
||||||
|
* used for unprivileged device
|
||||||
|
*/
|
||||||
|
if (info.flags & UBLK_F_USER_COPY)
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
/* the created device is always owned by current user */
|
/* the created device is always owned by current user */
|
||||||
ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);
|
ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);
|
||||||
|
|
||||||
|
@ -175,7 +175,13 @@
|
|||||||
/* use ioctl encoding for uring command */
|
/* use ioctl encoding for uring command */
|
||||||
#define UBLK_F_CMD_IOCTL_ENCODE (1UL << 6)
|
#define UBLK_F_CMD_IOCTL_ENCODE (1UL << 6)
|
||||||
|
|
||||||
/* Copy between request and user buffer by pread()/pwrite() */
|
/*
|
||||||
|
* Copy between request and user buffer by pread()/pwrite()
|
||||||
|
*
|
||||||
|
* Not available for UBLK_F_UNPRIVILEGED_DEV, otherwise userspace may
|
||||||
|
* deceive us by not filling request buffer, then kernel uninitialized
|
||||||
|
* data may be leaked.
|
||||||
|
*/
|
||||||
#define UBLK_F_USER_COPY (1UL << 7)
|
#define UBLK_F_USER_COPY (1UL << 7)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
Loading…
Reference in New Issue
Block a user