Message ID | 20211116194217.481966-3-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Focal/Bionic] vfs: check fd has read access in kernel_read_file_from_fd() | expand |
On 16.11.21 20:42, Thadeu Lima de Souza Cascardo wrote: > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > BugLink: https://bugs.launchpad.net/bugs/1950644 > > commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream. > > If we open a file without read access and then pass the fd to a syscall > whose implementation calls kernel_read_file_from_fd(), we get a warning > from __kernel_read(): > > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > > This currently affects both finit_module() and kexec_file_load(), but it > could affect other syscalls in the future. > > Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org > Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> > Reported-by: Hao Sun <sunhao.th@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Mimi Zohar <zohar@linux.ibm.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 0f218ba4c8aac7041cd8b81a5a893b0d121e6316 linux-5.4.y) > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- This one also appears to be redundant to me. -Stefan > fs/exec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index eeba096e8a38..006f7fb40b96 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1000,7 +1000,7 @@ int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size, > struct fd f = fdget(fd); > int ret = -EBADF; > > - if (!f.file) > + if (!f.file || !(f.file->f_mode & FMODE_READ)) > goto out; > > ret = kernel_read_file(f.file, buf, size, max_size, id); >
On 16.11.21 20:42, Thadeu Lima de Souza Cascardo wrote: > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > BugLink: https://bugs.launchpad.net/bugs/1950644 > > commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream. > > If we open a file without read access and then pass the fd to a syscall > whose implementation calls kernel_read_file_from_fd(), we get a warning > from __kernel_read(): > > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > > This currently affects both finit_module() and kexec_file_load(), but it > could affect other syscalls in the future. > > Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org > Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()") > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> > Reported-by: Hao Sun <sunhao.th@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Acked-by: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Mimi Zohar <zohar@linux.ibm.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 0f218ba4c8aac7041cd8b81a5a893b0d121e6316 linux-5.4.y) > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/exec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index eeba096e8a38..006f7fb40b96 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1000,7 +1000,7 @@ int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size, > struct fd f = fdget(fd); > int ret = -EBADF; > > - if (!f.file) > + if (!f.file || !(f.file->f_mode & FMODE_READ)) > goto out; > > ret = kernel_read_file(f.file, buf, size, max_size, id); >
diff --git a/fs/exec.c b/fs/exec.c index eeba096e8a38..006f7fb40b96 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1000,7 +1000,7 @@ int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size, struct fd f = fdget(fd); int ret = -EBADF; - if (!f.file) + if (!f.file || !(f.file->f_mode & FMODE_READ)) goto out; ret = kernel_read_file(f.file, buf, size, max_size, id);