| Message ID | 20211116194217.481966-2-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Hirsute/Impish] vfs: check fd has read access in kernel_read_file_from_fd() | expand |
On 16.11.21 20:42, Thadeu Lima de Souza Cascardo wrote: > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > BugLink: https://bugs.launchpad.net/bugs/1950644 > > If we open a file without read access and then pass the fd to a syscall > whose implementation calls kernel_read_file_from_fd(), we get a warning > from __kernel_read(): > > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > > This currently affects both finit_module() and kexec_file_load(), but it > could affect other syscalls in the future. > > Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org > Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> > Reported-by: Hao Sun <sunhao.th@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Mimi Zohar <zohar@linux.ibm.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 032146cda85566abcd1c4884d9d23e4e30a07e9a) > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- There are 2 duplicates caused by me moderating the mailing list. Thadeu, not sure I really see why one was blocked and the other not. Just generally if you could delay re-sends until the next day. Do not count on my ability to realize what was already re-send. Hard enough to say what is spam or not sometimes... -Stefan > fs/kernel_read_file.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c > index 90d255fbdd9b..c84d87f558cb 100644 > --- a/fs/kernel_read_file.c > +++ b/fs/kernel_read_file.c > @@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf, > struct fd f = fdget(fd); > int ret = -EBADF; > > - if (!f.file) > + if (!f.file || !(f.file->f_mode & FMODE_READ)) > goto out; > > ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id); >
On Wed, Nov 17, 2021 at 08:24:28AM +0100, Stefan Bader wrote: > On 16.11.21 20:42, Thadeu Lima de Souza Cascardo wrote: > > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > > > BugLink: https://bugs.launchpad.net/bugs/1950644 > > > > If we open a file without read access and then pass the fd to a syscall > > whose implementation calls kernel_read_file_from_fd(), we get a warning > > from __kernel_read(): > > > > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > > > > This currently affects both finit_module() and kexec_file_load(), but it > > could affect other syscalls in the future. > > > > Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org > > Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> > > Reported-by: Hao Sun <sunhao.th@gmail.com> > > Reviewed-by: Kees Cook <keescook@chromium.org> > > Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > > Cc: Al Viro <viro@zeniv.linux.org.uk> > > Cc: Mimi Zohar <zohar@linux.ibm.com> > > Cc: <stable@vger.kernel.org> > > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 032146cda85566abcd1c4884d9d23e4e30a07e9a) > > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > > --- > > There are 2 duplicates caused by me moderating the mailing list. Thadeu, not > sure I really see why one was blocked and the other not. Just generally if > you could delay re-sends until the next day. Do not count on my ability to > realize what was already re-send. Hard enough to say what is spam or not > sometimes... > > -Stefan > I didn't send it twice, not that I recall of. So, the versions that are currently on list (looking at the web history) are the intendend versions. Cascardo. > > fs/kernel_read_file.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c > > index 90d255fbdd9b..c84d87f558cb 100644 > > --- a/fs/kernel_read_file.c > > +++ b/fs/kernel_read_file.c > > @@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf, > > struct fd f = fdget(fd); > > int ret = -EBADF; > > - if (!f.file) > > + if (!f.file || !(f.file->f_mode & FMODE_READ)) > > goto out; > > ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id); > > > >
On 16.11.21 20:42, Thadeu Lima de Souza Cascardo wrote: > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > BugLink: https://bugs.launchpad.net/bugs/1950644 > > If we open a file without read access and then pass the fd to a syscall > whose implementation calls kernel_read_file_from_fd(), we get a warning > from __kernel_read(): > > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > > This currently affects both finit_module() and kexec_file_load(), but it > could affect other syscalls in the future. > > Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org > Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> > Reported-by: Hao Sun <sunhao.th@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Mimi Zohar <zohar@linux.ibm.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 032146cda85566abcd1c4884d9d23e4e30a07e9a) > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/kernel_read_file.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c > index 90d255fbdd9b..c84d87f558cb 100644 > --- a/fs/kernel_read_file.c > +++ b/fs/kernel_read_file.c > @@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf, > struct fd f = fdget(fd); > int ret = -EBADF; > > - if (!f.file) > + if (!f.file || !(f.file->f_mode & FMODE_READ)) > goto out; > > ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id); >
diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c index 90d255fbdd9b..c84d87f558cb 100644 --- a/fs/kernel_read_file.c +++ b/fs/kernel_read_file.c @@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf, struct fd f = fdget(fd); int ret = -EBADF; - if (!f.file) + if (!f.file || !(f.file->f_mode & FMODE_READ)) goto out; ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id);