linux/drivers/block
Richard Weinberger d8e9e5e80e drbd: Fix kernel_sendmsg() usage - potential NULL deref
Don't pass a size larger than iov_len to kernel_sendmsg().
Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
returns with rv < size.

DRBD as external module has been around in the kernel 2.4 days already.
We used to be compatible to 2.4 and very early 2.6 kernels,
we used to use
 rv = sock_sendmsg(sock, &msg, iov.iov_len);
then later changed to
 rv = kernel_sendmsg(sock, &msg, &iov, 1, size);
when we should have used
 rv = kernel_sendmsg(sock, &msg, &iov, 1, iov.iov_len);

tcp_sendmsg() used to totally ignore the size parameter.
 57be5bd ip: convert tcp_sendmsg() to iov_iter primitives
changes that, and exposes our long standing error.

Even with this error exposed, to trigger the bug, we would need to have
an environment (config or otherwise) causing us to not use sendpage()
for larger transfers, a failing connection, and have it fail "just at the
right time".  Apparently that was unlikely enough for most, so this went
unnoticed for years.

Still, it is known to trigger at least some of these,
and suspected for the others:
[0] http://lists.linbit.com/pipermail/drbd-user/2016-July/023112.html
[1] http://lists.linbit.com/pipermail/drbd-dev/2016-March/003362.html
[2] https://forums.grsecurity.net/viewtopic.php?f=3&t=4546
[3] https://ubuntuforums.org/showthread.php?t=2336150
[4] http://e2.howsolveproblem.com/i/1175162/

This should go into 4.9,
and into all stable branches since and including v4.0,
which is the first to contain the exposing change.

It is correct for all stable branches older than that as well
(which contain the DRBD driver; which is 2.6.33 and up).

It requires a small "conflict" resolution for v4.4 and earlier, with v4.5
we dropped the comment block immediately preceding the kernel_sendmsg().

Fixes: b411b3637f ("The DRBD driver")
Cc: <stable@vger.kernel.org> # 2.6.33.x-
Cc: viro@zeniv.linux.org.uk
Cc: christoph.lechleitner@iteg.at
Cc: wolfgang.glas@iteg.at
Reported-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
Tested-by: Christoph Lechleitner <christoph.lechleitner@iteg.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
[changed oneliner to be "obvious" without context; more verbose message]
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2016-11-09 17:08:32 -07:00
..
aoe tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
drbd drbd: Fix kernel_sendmsg() usage - potential NULL deref 2016-11-09 17:08:32 -07:00
mtip32xx blk-mq: remove ->map_queue 2016-09-15 08:42:03 -06:00
paride paride: make 'verbose' parameter an 'int' again 2016-03-15 16:55:16 -07:00
rsxx block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
xen-blkback xen: features and fixes for 4.8-rc0 2016-07-27 11:35:37 -07:00
zram block/mm: make bdev_ops->rw_page() take a bool for read/write 2016-08-07 14:41:02 -06:00
amiflop.c block: drop owner assignment from platform_drivers 2014-10-20 16:20:18 +02:00
ataflop.c Merge branch 'for-3.16/core' of git://git.kernel.dk/linux-block into next 2014-06-02 09:29:34 -07:00
brd.c block/mm: make bdev_ops->rw_page() take a bool for read/write 2016-08-07 14:41:02 -06:00
cciss_cmd.h
cciss_scsi.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
cciss_scsi.h
cciss.c block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
cciss.h
cryptoloop.c block: cryptoloop - Use new skcipher interface 2016-01-27 20:35:43 +08:00
DAC960.c block: DAC960: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
DAC960.h
floppy.c Revert "floppy: refactor open() flags handling" 2016-08-25 08:56:51 -06:00
hd.c block: hd: remove deprecated IRQF_DISABLED 2014-10-01 08:16:07 -06:00
Kconfig cpqarray: remove it from the kernel 2016-03-14 09:06:01 -06:00
loop.c kthread: kthread worker API cleanup 2016-10-11 15:06:33 -07:00
loop.h block: loop: support DIO & AIO 2015-09-23 11:01:16 -06:00
Makefile drivers:block: cpqarray clean up 2016-03-15 15:59:47 -07:00
mg_disk.c mg_disk: fix error path in mg_probe() 2016-06-28 11:01:27 -06:00
nbd.c nbd: Fix error handling 2016-11-06 14:14:59 -07:00
null_blk.c Merge branch 'for-4.9/block-irq' of git://git.kernel.dk/linux-block 2016-10-09 17:29:33 -07:00
osdblk.c block, drivers: add REQ_OP_FLUSH operation 2016-06-07 13:41:38 -06:00
pktcdvd.c block: rename bio bi_rw to bi_opf 2016-08-07 14:41:02 -06:00
ps3disk.c block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
ps3vram.c block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
rbd_types.h rbd: support for exclusive-lock feature 2016-08-24 23:49:16 +02:00
rbd.c rbd: don't retry watch reregistration if header object is gone 2016-10-15 23:22:09 +02:00
skd_main.c block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
skd_s1120.h
smart1,2.h
sunvdc.c block: convert to device_add_disk() 2016-06-27 12:26:08 -07:00
swim3.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
swim_asm.S
swim.c block: drop owner assignment from platform_drivers 2014-10-20 16:20:18 +02:00
sx8.c sx8: use real time for the command seconds 2015-12-23 08:42:59 -07:00
umem.c block: rename bio bi_rw to bi_opf 2016-08-07 14:41:02 -06:00
umem.h
virtio_blk.c virtio_blk: Delete an unnecessary initialisation in init_vq() 2016-10-31 00:21:47 +02:00
xen-blkfront.c blk-mq: remove ->map_queue 2016-09-15 08:42:03 -06:00
xsysace.c block: systemace: Remove .owner field for driver 2014-08-21 20:37:54 -05:00
z2ram.c