1
linux/fs
Mathieu Desnoyers 8aec0f5d41 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
compat_process_vm_rw() shows that the compatibility code requires an
explicit "access_ok()" check before calling
compat_rw_copy_check_uvector(). The same difference seems to appear when
we compare fs/read_write.c:do_readv_writev() to
fs/compat.c:compat_do_readv_writev().

This subtle difference between the compat and non-compat requirements
should probably be debated, as it seems to be error-prone. In fact,
there are two others sites that use this function in the Linux kernel,
and they both seem to get it wrong:

Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
also ends up calling compat_rw_copy_check_uvector() through
aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
be missing. Same situation for
security/keys/compat.c:compat_keyctl_instantiate_key_iov().

I propose that we add the access_ok() check directly into
compat_rw_copy_check_uvector(), so callers don't have to worry about it,
and it therefore makes the compat call code similar to its non-compat
counterpart. Place the access_ok() check in the same location where
copy_from_user() can trigger a -EFAULT error in the non-compat code, so
the ABI behaviors are alike on both compat and non-compat.

While we are here, fix compat_do_readv_writev() so it checks for
compat_rw_copy_check_uvector() negative return values.

And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
handling.

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-03-12 11:05:45 -07:00
..
9p fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
adfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
affs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
afs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
autofs4 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
befs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
bfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
btrfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2013-03-09 16:51:13 -08:00
cachefiles
ceph fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
cifs CIFS: Fix missing of oplock_read value in smb30_values structure 2013-03-06 19:37:01 -06:00
coda fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
configfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
cramfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
debugfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
devpts fs: Limit sys_mount to only request filesystem modules (Part 2). 2013-03-07 01:08:55 -08:00
dlm hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
ecryptfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2013-03-09 16:51:13 -08:00
efs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
exofs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
exportfs hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
ext2 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
ext3 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
ext4 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
f2fs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
fat fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
freevxfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
fscache hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
fuse fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
gfs2 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
hfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
hfsplus fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
hostfs hostfs: fix a not needed double check 2013-03-11 10:08:02 +01:00
hpfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
hppfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
hugetlbfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
isofs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
jbd
jbd2 jbd2: fix ERR_PTR dereference in jbd2__journal_start 2013-03-02 17:08:46 -05:00
jffs2 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
jfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
lockd Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
logfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
minix fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
ncpfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
nfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
nfs_common
nfsd fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
nilfs2 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
nls
notify hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
ntfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
ocfs2 fs: Limit sys_mount to only request filesystem modules (Part 2). 2013-03-07 01:08:55 -08:00
omfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
openpromfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
proc proc: Use nd_jump_link in proc_ns_follow_link 2013-03-09 00:14:45 -08:00
pstore A few fixes to reduce places where pstore might hang 2013-02-21 09:38:18 -08:00
qnx4 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
qnx6 fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
quota
ramfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
reiserfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
romfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
squashfs new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
sysfs hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
sysv fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
ubifs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
udf Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
ufs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
xfs fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
aio.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
anon_inodes.c get_empty_filp()/alloc_file() leave both ->f_pos and ->f_version zero 2013-02-26 02:46:11 -05:00
attr.c
bad_inode.c
binfmt_aout.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
binfmt_elf_fdpic.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
binfmt_elf.c ImgTec Meta architecture changes for v3.9-rc1 2013-03-03 12:06:09 -08:00
binfmt_em86.c
binfmt_flat.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
binfmt_misc.c fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c
block_dev.c Merge branch 'for-3.9/core' of git://git.kernel.dk/linux-block 2013-02-28 12:52:24 -08:00
buffer.c Merge branch 'for-3.9/core' of git://git.kernel.dk/linux-block 2013-02-28 12:52:24 -08:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
compat.c Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys 2013-03-12 11:05:45 -07:00
coredump.c coredump: remove redundant defines for dumpable states 2013-02-27 19:10:11 -08:00
coredump.h
dcache.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
dcookies.c
direct-io.c fs: Fix possible use-after-free with AIO 2013-02-22 23:31:36 -05:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c coredump: remove redundant defines for dumpable states 2013-02-27 19:10:11 -08:00
fcntl.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
fhandle.c
fifo.c
file_table.c cache the value of file_inode() in struct file 2013-03-01 19:48:30 -05:00
file.c locking: Various static lock initializer fixes 2013-02-19 08:42:45 +01:00
filesystems.c fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
fs_struct.c constify path_get/path_put and fs_struct.c stuff 2013-03-01 23:51:07 -05:00
fs-writeback.c 2 writeback fixes 2013-02-28 13:21:44 -08:00
generic_acl.c
inode.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
internal.h constify path_get/path_put and fs_struct.c stuff 2013-03-01 23:51:07 -05:00
ioctl.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
ioprio.c
Kconfig
Kconfig.binfmt
libfs.c
locks.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
Makefile
mbcache.c
mount.h
mpage.c
namei.c vfs: don't BUG_ON() if following a /proc fd pseudo-symlink results in a symlink 2013-03-08 09:03:07 -08:00
namespace.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
no-block.c
open.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-03-03 13:23:03 -08:00
pipe.c vfs: fix pipe counter breakage 2013-03-12 08:29:17 -07:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2013-03-02 08:34:06 -08:00
read_write.h
readdir.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
select.c
seq_file.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-03-03 13:23:03 -08:00
signalfd.c
splice.c export kernel_write(), convert open-coded instances 2013-02-26 02:46:11 -05:00
stack.c
stat.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
statfs.c
super.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
sync.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
timerfd.c compat: restore timerfd settime and gettime compat syscalls 2013-03-02 09:35:13 -05:00
utimes.c
xattr_acl.c
xattr.c