+ fs-namespace-untag-user-pointers-in-copy_mount_options.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled
     Subject: fs/namespace: untag user pointers in copy_mount_options
has been added to the -mm tree.  Its filename is
     fs-namespace-untag-user-pointers-in-copy_mount_options.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Subject: fs/namespace: untag user pointers in copy_mount_options

This patch is a part of a series that extends kernel ABI to allow to pass
tagged user pointers (with the top byte set to something else other than
0x00) as syscall arguments.

In copy_mount_options a user address is being subtracted from TASK_SIZE. 
If the address is lower than TASK_SIZE, the size is calculated to not
allow the exact_copy_from_user() call to cross TASK_SIZE boundary. 
However if the address is tagged, then the size will be calculated
incorrectly.

Untag the address before subtracting.

Link: http://lkml.kernel.org/r/1de225e4a54204bfd7f25dac2635e31aa4aa1d90.1563904656.git.andreyknvl@xxxxxxxxxx
Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Reviewed-by: Khalid Aziz <khalid.aziz@xxxxxxxxxx>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@xxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxx>
Cc: Eric Auger <eric.auger@xxxxxxxxxx>
Cc: Felix Kuehling <Felix.Kuehling@xxxxxxx>
Cc: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
Cc: Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx>
Cc: Mike Rapoport <rppt@xxxxxxxxxxxxx>
Cc: Will Deacon <will@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/namespace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c~fs-namespace-untag-user-pointers-in-copy_mount_options
+++ a/fs/namespace.c
@@ -2994,7 +2994,7 @@ void *copy_mount_options(const void __us
 	 * the remainder of the page.
 	 */
 	/* copy_from_user cannot cross TASK_SIZE ! */
-	size = TASK_SIZE - (unsigned long)data;
+	size = TASK_SIZE - (unsigned long)untagged_addr(data);
 	if (size > PAGE_SIZE)
 		size = PAGE_SIZE;
 
_

Patches currently in -mm which might be from andreyknvl@xxxxxxxxxx are

lib-untag-user-pointers-in-strn_user.patch
mm-untag-user-pointers-passed-to-memory-syscalls.patch
mm-untag-user-pointers-in-mm-gupc.patch
mm-untag-user-pointers-in-get_vaddr_frames.patch
fs-namespace-untag-user-pointers-in-copy_mount_options.patch
userfaultfd-untag-user-pointers.patch
drm-amdgpu-untag-user-pointers.patch
drm-radeon-untag-user-pointers-in-radeon_gem_userptr_ioctl.patch
media-v4l2-core-untag-user-pointers-in-videobuf_dma_contig_user_get.patch
tee-shm-untag-user-pointers-in-tee_shm_register.patch
vfio-type1-untag-user-pointers-in-vaddr_get_pfn.patch




[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux