[SRU,Xenial,1/1] more bio_map_user_iov() leak fixes

Message ID	20171208133823.18790-2-kleber.souza@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Kleber Sacilotto de Souza <kleber.souza@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Xenial][PATCH 1/1] more bio_map_user_iov() leak fixes Date: Fri, 8 Dec 2017 14:38:23 +0100 Message-Id: <20171208133823.18790-2-kleber.souza@canonical.com> In-Reply-To: <20171208133823.18790-1-kleber.souza@canonical.com> References: <20171208133823.18790-1-kleber.souza@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	Fix for CVE-2017-12190 \| expand [SRU,Xenial,0/1] Fix for CVE-2017-12190 [SRU,Xenial,1/1] more bio_map_user_iov() leak fixes

Message ID

20171208133823.18790-2-kleber.souza@canonical.com

State

New

Headers

From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Xenial][PATCH 1/1] more bio_map_user_iov() leak fixes
Date: Fri,  8 Dec 2017 14:38:23 +0100
Message-Id: <20171208133823.18790-2-kleber.souza@canonical.com>
In-Reply-To: <20171208133823.18790-1-kleber.souza@canonical.com>
References: <20171208133823.18790-1-kleber.souza@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

Fix for CVE-2017-12190 | expand

Commit Message

Kleber Sacilotto de Souza Dec. 8, 2017, 1:38 p.m. UTC

From: Al Viro <viro@zeniv.linux.org.uk>

we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

CVE-CVE-2017-12190
(backported from commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058)
[klebers: page_cache_release() is defined as put_page(), but keep it as
 page_cache_release() for consistency with the rest of the code.]
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 block/bio.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Comments

Stefan Bader Dec. 12, 2017, 10:03 a.m. UTC | #1

On 08.12.2017 13:38, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> we need to take care of failure exit as well - pages already
> in bio should be dropped by analogue of bio_unmap_pages(),
> since their refcounts had been bumped only once per reference
> in bio.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> CVE-CVE-2017-12190
> (backported from commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058)
> [klebers: page_cache_release() is defined as put_page(), but keep it as
>  page_cache_release() for consistency with the rest of the code.]
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---

Same provisional ack in case both functions are the same.

>  block/bio.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/block/bio.c b/block/bio.c
> index 68bbc835bacc..6750552d6b16 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -1268,6 +1268,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
>  	int ret, offset;
>  	struct iov_iter i;
>  	struct iovec iov;
> +	struct bio_vec *bvec;
>  
>  	iov_for_each(iov, i, *iter) {
>  		unsigned long uaddr = (unsigned long) iov.iov_base;
> @@ -1312,7 +1313,12 @@ struct bio *bio_map_user_iov(struct request_queue *q,
>  		ret = get_user_pages_fast(uaddr, local_nr_pages,
>  				(iter->type & WRITE) != WRITE,
>  				&pages[cur_page]);
> -		if (ret < local_nr_pages) {
> +		if (unlikely(ret < local_nr_pages)) {
> +			for (j = cur_page; j < page_limit; j++) {
> +				if (!pages[j])
> +					break;
> +				put_page(pages[j]);
> +			}
>  			ret = -EFAULT;
>  			goto out_unmap;
>  		}
> @@ -1374,10 +1380,8 @@ struct bio *bio_map_user_iov(struct request_queue *q,
>  	return bio;
>  
>   out_unmap:
> -	for (j = 0; j < nr_pages; j++) {
> -		if (!pages[j])
> -			break;
> -		page_cache_release(pages[j]);
> +	bio_for_each_segment_all(bvec, bio, j) {
> +		page_cache_release(bvec->bv_page);
>  	}
>   out:
>  	kfree(pages);
>

Thadeu Lima de Souza Cascardo Dec. 12, 2017, 9:01 p.m. UTC | #2

Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Thadeu Lima de Souza Cascardo Dec. 13, 2017, 8:44 a.m. UTC | #3

Applied to xenial master-next branch.

Thanks.
Cascardo.

Applied-to: xenial/master-next

Thadeu Lima de Souza Cascardo Dec. 13, 2017, 8:44 a.m. UTC | #4

Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next

diff --git a/block/bio.c b/block/bio.c
index 68bbc835bacc..6750552d6b16 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1268,6 +1268,7 @@  struct bio *bio_map_user_iov(struct request_queue *q,
 	int ret, offset;
 	struct iov_iter i;
 	struct iovec iov;
+	struct bio_vec *bvec;
 
 	iov_for_each(iov, i, *iter) {
 		unsigned long uaddr = (unsigned long) iov.iov_base;
@@ -1312,7 +1313,12 @@  struct bio *bio_map_user_iov(struct request_queue *q,
 		ret = get_user_pages_fast(uaddr, local_nr_pages,
 				(iter->type & WRITE) != WRITE,
 				&pages[cur_page]);
-		if (ret < local_nr_pages) {
+		if (unlikely(ret < local_nr_pages)) {
+			for (j = cur_page; j < page_limit; j++) {
+				if (!pages[j])
+					break;
+				put_page(pages[j]);
+			}
 			ret = -EFAULT;
 			goto out_unmap;
 		}
@@ -1374,10 +1380,8 @@  struct bio *bio_map_user_iov(struct request_queue *q,
 	return bio;
 
  out_unmap:
-	for (j = 0; j < nr_pages; j++) {
-		if (!pages[j])
-			break;
-		page_cache_release(pages[j]);
+	bio_for_each_segment_all(bvec, bio, j) {
+		page_cache_release(bvec->bv_page);
 	}
  out:
 	kfree(pages);

[SRU,Xenial,1/1] more bio_map_user_iov() leak fixes

Commit Message

Comments

Patch