From a5a381ac996336ec0aa30fcc65fa02fb90c620a5 Mon Sep 17 00:00:00 2001 From: Coly Li Date: Apr 19 2024 14:44:36 +0000 Subject: block: Fix WARNING in _copy_from_iter (bsc#1223015, CVE-2024-26844). --- diff --git a/patches.suse/block-Fix-WARNING-in-_copy_from_iter-13f3.patch b/patches.suse/block-Fix-WARNING-in-_copy_from_iter-13f3.patch new file mode 100644 index 0000000..2f46cfb --- /dev/null +++ b/patches.suse/block-Fix-WARNING-in-_copy_from_iter-13f3.patch @@ -0,0 +1,63 @@ +From 13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Sun, 21 Jan 2024 21:26:34 +0100 +Subject: [PATCH] block: Fix WARNING in _copy_from_iter +Git-commit: 13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 +Patch-mainline: v6.8-rc2 +References: bsc#1223015, CVE-2024-26844 + +Syzkaller reports a warning in _copy_from_iter because an +iov_iter is supposedly used in the wrong direction. The reason +is that syzcaller managed to generate a request with +a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs +the kernel to copy user buffers into the kernel, read into +the copied buffers and then copy the data back to user space. + +Thus the iovec is used in both directions. + +Detect this situation in the block layer and construct a new +iterator with the correct direction for the copy-in. + +Reported-by: syzbot+a532b03fdfee2c137666@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/0000000000009b92c10604d7a5e9@google.com/t/ +Reported-by: syzbot+63dec323ac56c28e644f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/0000000000003faaa105f6e7c658@google.com/T/ +Signed-off-by: Christian A. Ehrhardt +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240121202634.275068-1-lk@c--e.de +Signed-off-by: Jens Axboe +Signed-off-by: Coly Li +--- + block/blk-map.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/block/blk-map.c b/block/blk-map.c +index 8584babf3ea0..71210cdb3442 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -205,12 +205,19 @@ static int bio_copy_user_iov(struct request *rq, struct rq_map_data *map_data, + /* + * success + */ +- if ((iov_iter_rw(iter) == WRITE && +- (!map_data || !map_data->null_mapped)) || +- (map_data && map_data->from_user)) { ++ if (iov_iter_rw(iter) == WRITE && ++ (!map_data || !map_data->null_mapped)) { + ret = bio_copy_from_iter(bio, iter); + if (ret) + goto cleanup; ++ } else if (map_data && map_data->from_user) { ++ struct iov_iter iter2 = *iter; ++ ++ /* This is the copy-in part of SG_DXFER_TO_FROM_DEV. */ ++ iter2.data_source = ITER_SOURCE; ++ ret = bio_copy_from_iter(bio, &iter2); ++ if (ret) ++ goto cleanup; + } else { + if (bmd->is_our_pages) + zero_fill_bio(bio); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 7bd582f..b00ee45 100644 --- a/series.conf +++ b/series.conf @@ -19048,6 +19048,7 @@ patches.suse/Revert-nouveau-push-event-block-allowing-out-of-the-.patch patches.suse/drm-bridge-samsung-dsim-Don-t-use-FORCE_STOP_STATE.patch patches.suse/cpufreq-amd-pstate-Fix-setting-scaling-max-min-freq-.patch + patches.suse/block-Fix-WARNING-in-_copy_from_iter-13f3.patch patches.suse/ahci-asm1166-correct-count-of-reported-ports.patch patches.suse/ahci-add-43-bit-DMA-address-quirk-for-ASMedia-ASM106.patch patches.suse/platform-x86-intel-uncore-freq-Fix-types-in-sysfs-ca.patch