Re: [PATCH 181/190] Revert "dm ioctl: harden copy_params()'s copy_from_user() from malicious users"

From: Greg Kroah-Hartman
Date: Tue Apr 27 2021 - 12:58:47 EST


On Wed, Apr 21, 2021 at 03:00:56PM +0200, Greg Kroah-Hartman wrote:
> This reverts commit 800a7340ab7dd667edf95e74d8e4f23a17e87076.
>
> Commits from @umn.edu addresses have been found to be submitted in "bad
> faith" to try to test the kernel community's ability to review "known
> malicious" changes. The result of these submissions can be found in a
> paper published at the 42nd IEEE Symposium on Security and Privacy
> entitled, "Open Source Insecurity: Stealthily Introducing
> Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> of Minnesota) and Kangjie Lu (University of Minnesota).
>
> Because of this, all submissions from this group must be reverted from
> the kernel tree and will need to be re-reviewed again to determine if
> they actually are a valid fix. Until that work is complete, remove this
> change to ensure that no problems are being introduced into the
> codebase.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: Wenwen Wang <wang6495@xxxxxxx>
> Cc: Mike Snitzer <snitzer@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/md/dm-ioctl.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
> index 1ca65b434f1f..820342de92cd 100644
> --- a/drivers/md/dm-ioctl.c
> +++ b/drivers/md/dm-ioctl.c
> @@ -1747,7 +1747,8 @@ static void free_params(struct dm_ioctl *param, size_t param_size, int param_fla
> }
>
> static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
> - int ioctl_flags, struct dm_ioctl **param, int *param_flags)
> + int ioctl_flags,
> + struct dm_ioctl **param, int *param_flags)
> {
> struct dm_ioctl *dmi;
> int secure_data;
> @@ -1788,13 +1789,18 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
>
> *param_flags |= DM_PARAMS_MALLOC;
>
> - /* Copy from param_kernel (which was already copied from user) */
> - memcpy(dmi, param_kernel, minimum_data_size);
> -
> - if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
> - param_kernel->data_size - minimum_data_size))
> + if (copy_from_user(dmi, user, param_kernel->data_size))
> goto bad;
> +
> data_copied:
> + /*
> + * Abort if something changed the ioctl data while it was being copied.
> + */
> + if (dmi->data_size != param_kernel->data_size) {
> + DMERR("rejecting ioctl: data size modified while processing parameters");
> + goto bad;
> + }
> +
> /* Wipe the user buffer so we do not return it to userspace */
> if (secure_data && clear_user(user, param_kernel->data_size))
> goto bad;
> --
> 2.31.1
>

Original looks correct, dropping this commit now.

greg k-h