Commit 9de30f3f authored Nov 02, 2018 by Tycho Andersen Committed by David Teigland Nov 07, 2018

dlm: don't leak kernel pointer to userspace

In copy_result_to_user(), we first create a struct dlm_lock_result, which
contains a struct dlm_lksb, the last member of which is a pointer to the
lvb. Unfortunately, we copy the entire struct dlm_lksb to the result
struct, which is then copied to userspace at the end of the function,
leaking the contents of sb_lvbptr, which is a valid kernel pointer in some
cases (indeed, later in the same function the data it points to is copied
to userspace).

It is an error to leak kernel pointers to userspace, as it undermines KASLR
protections (see e.g. 65eea8ed ("floppy: Do not copy a kernel pointer to
user memory in FDGETPRM ioctl") for another example of this).

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: David Teigland <teigland@redhat.com>

parent 3f0806d2

fs/dlm/user.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -702,7 +702,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat,
		result.version[0] = DLM_DEVICE_VERSION_MAJOR;
		result.version[1] = DLM_DEVICE_VERSION_MINOR;
		result.version[2] = DLM_DEVICE_VERSION_PATCH;
		memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb));
		memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
		result.user_lksb = ua->user_lksb;

		/* FIXME: dlm1 provides for the user's bastparam/addr to not be updated

Admin message