mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-09 18:19:06 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Thadeu Lima de Souza Cascardo 250edf9580 fs/binfmt_misc.c: do not allow offset overflow 
commit 5cc41e0995 upstream.

WHen registering a new binfmt_misc handler, it is possible to overflow
the offset to get a negative value, which might crash the system, or
possibly leak kernel data.

Here is a crash log when 2500000000 was used as an offset:

  BUG: unable to handle kernel paging request at ffff989cfd6edca0
  IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
  PGD 1ef3e067 P4D 1ef3e067 PUD 0
  Oops: 0000 [#1] SMP NOPTI
  Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
  CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
  RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
  Call Trace:
    search_binary_handler+0x97/0x1d0
    do_execveat_common.isra.34+0x667/0x810
    SyS_execve+0x31/0x40
    do_syscall_64+0x73/0x130
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Use kstrtoint instead of simple_strtoul.  It will work as the code
already set the delimiter byte to '\0' and we only do it when the field
is not empty.

Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX.  Also tested
with examples documented at Documentation/admin-guide/binfmt-misc.rst
and other registrations from packages on Ubuntu.

Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-06-26 08:06:33 +08:00
..
9p fs/9p: Compare qid.path in v9fs_test_inode 2017-11-30 08:40:49 +00:00
adfs
affs affs_lookup(): close a race with affs_remove_link() 2018-05-30 07:51:47 +02:00
afs afs: Fix the non-encryption of calls 2018-06-21 04:02:59 +09:00
autofs4 autofs: mount point create should honour passed in mode 2018-04-24 09:36:39 +02:00
befs
bfs
btrfs btrfs: scrub: Don't use inode pages for device replace 2018-06-26 08:06:30 +08:00
cachefiles
ceph ceph: fix potential memory leak in init_caches() 2018-05-30 07:52:09 +02:00
cifs cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-26 08:06:31 +08:00
coda coda: fix 'kernel memory exposure attempt' in fsync 2017-11-24 08:37:05 +01:00
configfs
cramfs
crypto fscrypt: lock mutex before checking for bounce page pool 2017-11-30 08:40:44 +00:00
debugfs
devpts devpts: fix error handling in devpts_mntget() 2018-02-16 20:23:11 +01:00
dlm
ecryptfs eCryptfs: don't pass up plaintext names when using filename encryption 2018-06-21 04:02:42 +09:00
efivarfs
efs
exofs
exportfs
ext2 do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
ext4 ext4: fix fencepost error in check for inode count overflow during resize 2018-06-26 08:06:29 +08:00
f2fs f2fs: fix to check extent cache in f2fs_drop_extent_tree 2018-05-30 07:52:33 +02:00
fat fs/fat/inode.c: fix sb_rdonly() change 2017-12-05 11:26:29 +01:00
freevxfs
fscache fscache: Fix hanging wait on page discarded by writeback 2018-05-30 07:52:25 +02:00
fuse
gfs2 gfs2: Fix fallocate chunk size 2018-05-30 07:52:35 +02:00
hfs
hfsplus hfsplus: stop workqueue when fill_super() failed 2018-05-25 16:17:35 +02:00
hostfs
hpfs
hugetlbfs hugetlbfs: fix bug in pgoff overflow checking 2018-04-19 08:56:21 +02:00
isofs isofs: fix potential memory leak in mount option parsing 2018-06-21 04:02:41 +09:00
jbd2 ext4: set h_journal if there is a failure starting a reserved handle 2018-05-01 12:58:06 -07:00
jffs2 do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
jfs do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
kernfs kernfs: fix regression in kernfs_fop_write caused by wrong type 2018-02-16 20:22:59 +01:00
lockd race of lockd inetaddr notifiers vs nlmsvc_rqst change 2018-02-03 17:39:08 +01:00
minix
ncpfs staging: ncpfs: memory corruption in ncp_read_kernel() 2018-03-28 18:24:43 +02:00
nfs NFSv4.1: Fix up replays of interrupted requests 2018-06-26 08:06:29 +08:00
nfs_common lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:39:08 +01:00
nfsd nfsd: fix incorrect umasks 2018-04-19 08:56:21 +02:00
nilfs2 do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
nls
notify fsnotify: fix ignore mask logic in send_to_group() 2018-06-21 04:02:41 +09:00
ntfs
ocfs2 ocfs2: take inode cluster lock before moving reflinked inode from orphan dir 2018-06-21 04:02:57 +09:00
omfs
openpromfs
orangefs orangefs: report attributes_mask and attributes for statx 2018-06-26 08:06:33 +08:00
overlayfs ovl: fix lookup with middle layer opaque dir and absolute path redirects 2018-04-19 08:56:21 +02:00
proc proc/kcore: don't bounds check against address 0 2018-06-21 04:02:57 +09:00
pstore
qnx4
qnx6
quota quota: Check for register_shrinker() failure. 2018-02-03 17:39:11 +01:00
ramfs
reiserfs do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
romfs
squashfs
sysfs sysfs: symlink: export sysfs_create_link_nowarn() 2018-03-31 18:10:38 +02:00
sysv
tracefs
ubifs ubifs: Fix uninitialized variable in search_dh_cookie() 2018-04-26 11:02:07 +02:00
udf udf: Provide saner default for invalid uid / gid 2018-05-30 07:52:38 +02:00
ufs do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:51:47 +02:00
xfs xfs: detect agfl count corruption and reset agfl 2018-06-05 11:41:55 +02:00
aio.c fix io_destroy()/aio_complete() race 2018-06-05 11:41:54 +02:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2018-06-26 08:06:33 +08:00
binfmt_script.c
block_dev.c
buffer.c fs: guard_bio_eod() needs to consider partitions 2017-11-30 08:40:45 +00:00
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c
coredump.c
dax.c fs/dax.c: release PMD lock even when there is no PMD support in DAX 2018-04-26 11:02:14 +02:00
dcache.c fs: dcache: Use READ_ONCE when accessing i_dir_seq 2018-05-30 07:52:03 +02:00
dcookies.c
direct-io.c direct-io: Fix sleep in atomic due to sync AIO 2018-03-08 22:41:06 -08:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c exec: avoid gcc-8 warning for get_task_comm 2018-03-03 10:24:21 +01:00
fcntl.c fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall 2017-12-17 15:07:59 +01:00
fhandle.c
file.c
file_table.c
filesystems.c
fs-writeback.c bdi: Fix oops in wb_workfn() 2018-05-16 10:10:25 +02:00
fs_pin.c
fs_struct.c
inode.c
internal.h
ioctl.c
iomap.c
Kconfig
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c mbcache: initialize entry->e_referenced in mb_cache_entry_create() 2018-02-22 15:42:25 +01:00
mount.h
mpage.c
namei.c getname_kernel() needs to make sure that ->name != ->iname in long case 2018-04-19 08:56:19 +02:00
namespace.c vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion 2018-06-21 04:02:45 +09:00
no-block.c
nsfs.c
open.c
pipe.c pipe: fix off-by-one error when checking buffer limits 2018-02-16 20:23:05 +01:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
select.c
seq_file.c seq_file: fix incomplete reset on read from zero offset 2018-02-22 15:42:28 +01:00
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c fs: don't scan the inode cache before SB_BORN is set 2018-05-30 07:51:47 +02:00
sync.c
timerfd.c
userfaultfd.c userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails 2018-01-10 09:31:17 +01:00
utimes.c
xattr.c