Skip to content
This repository has been archived by the owner on Oct 31, 2024. It is now read-only.

Commit

Permalink
ublk: don't allow user copy for unprivileged device
Browse files Browse the repository at this point in the history
commit 42aafd8 upstream.

UBLK_F_USER_COPY requires userspace to call write() on ublk char
device for filling request buffer, and unprivileged device can't
be trusted.

So don't allow user copy for unprivileged device.

Cc: [email protected]
Fixes: 1172d5b ("ublk: support user copy")
Signed-off-by: Ming Lei <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
Ming Lei authored and gregkh committed Oct 22, 2024
1 parent d28b256 commit 8f3d568
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
11 changes: 10 additions & 1 deletion drivers/block/ublk_drv.c
Original file line number Diff line number Diff line change
Expand Up @@ -2381,10 +2381,19 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd)
* TODO: provide forward progress for RECOVERY handler, so that
* unprivileged device can benefit from it
*/
if (info.flags & UBLK_F_UNPRIVILEGED_DEV)
if (info.flags & UBLK_F_UNPRIVILEGED_DEV) {
info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE |
UBLK_F_USER_RECOVERY);

/*
* For USER_COPY, we depends on userspace to fill request
* buffer by pwrite() to ublk char device, which can't be
* used for unprivileged device
*/
if (info.flags & UBLK_F_USER_COPY)
return -EINVAL;
}

/* the created device is always owned by current user */
ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);

Expand Down
8 changes: 7 additions & 1 deletion include/uapi/linux/ublk_cmd.h
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,13 @@
/* use ioctl encoding for uring command */
#define UBLK_F_CMD_IOCTL_ENCODE (1UL << 6)

/* Copy between request and user buffer by pread()/pwrite() */
/*
* Copy between request and user buffer by pread()/pwrite()
*
* Not available for UBLK_F_UNPRIVILEGED_DEV, otherwise userspace may
* deceive us by not filling request buffer, then kernel uninitialized
* data may be leaked.
*/
#define UBLK_F_USER_COPY (1UL << 7)

/*
Expand Down

0 comments on commit 8f3d568

Please sign in to comment.