mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include
History
David Howells a751898a46 fscache: fix OOB Read in __fscache_acquire_volume 
[ Upstream commit 9f0933ac02 ]

The type of a->key[0] is char in fscache_volume_same().  If the length
of cache volume key is greater than 127, the value of a->key[0] is less
than 0.  In this case, klen becomes much larger than 255 after type
conversion, because the type of klen is size_t.  As a result, memcmp()
is read out of bounds.

This causes a slab-out-of-bounds Read in __fscache_acquire_volume(), as
reported by Syzbot.

Fix this by changing the type of the stored key to "u8 *" rather than
"char *" (it isn't a simple string anyway).  Also put in a check that
the volume name doesn't exceed NAME_MAX.

  BUG: KASAN: slab-out-of-bounds in memcmp+0x16f/0x1c0 lib/string.c:757
  Read of size 8 at addr ffff888016f3aa90 by task syz-executor344/3613
  Call Trace:
   memcmp+0x16f/0x1c0 lib/string.c:757
   memcmp include/linux/fortify-string.h:420 [inline]
   fscache_volume_same fs/fscache/volume.c:133 [inline]
   fscache_hash_volume fs/fscache/volume.c:171 [inline]
   __fscache_acquire_volume+0x76c/0x1080 fs/fscache/volume.c:328
   fscache_acquire_volume include/linux/fscache.h:204 [inline]
   v9fs_cache_session_get_cookie+0x143/0x240 fs/9p/cache.c:34
   v9fs_session_init+0x1166/0x1810 fs/9p/v9fs.c:473
   v9fs_mount+0xba/0xc90 fs/9p/vfs_super.c:126
   legacy_get_tree+0x105/0x220 fs/fs_context.c:610
   vfs_get_tree+0x89/0x2f0 fs/super.c:1530
   do_new_mount fs/namespace.c:3040 [inline]
   path_mount+0x1326/0x1e20 fs/namespace.c:3370
   do_mount fs/namespace.c:3383 [inline]
   __do_sys_mount fs/namespace.c:3591 [inline]
   __se_sys_mount fs/namespace.c:3568 [inline]
   __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568

Fixes: 62ab633523 ("fscache: Implement volume registration")
Reported-by: syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Zhang Peng <zhangpeng362@huawei.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
cc: Dominique Martinet <asmadeus@codewreck.org>
cc: Jeff Layton <jlayton@kernel.org>
cc: v9fs-developer@lists.sourceforge.net
cc: linux-cachefs@redhat.com
Link: https://lore.kernel.org/r/Y3OH+Dmi0QIOK18n@codewreck.org/ # Zhang Peng's v1 fix
Link: https://lore.kernel.org/r/20221115140447.2971680-1-zhangpeng362@huawei.com/ # Zhang Peng's v2 fix
Link: https://lore.kernel.org/r/166869954095.3793579.8500020902371015443.stgit@warthog.procyon.org.uk/ # v1
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-12-02 17:43:08 +01:00
..
acpi ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init() 2022-11-10 18:17:24 +01:00
asm-generic vmlinux.lds.h: Fix placement of '.data..decrypted' section 2022-11-16 10:04:06 +01:00
clocksource
crypto
drm drm/edid: Handle EDID 1.4 range descriptor h/vfreq offsets 2022-09-02 16:38:51 +03:00
dt-bindings dt-bindings: clock: exynosautov9: correct clock numbering of peric0/c1 2022-10-21 12:38:32 +02:00
keys
kunit kunit: fix assert_type for comparison macros 2022-09-01 13:00:32 -06:00
kvm
linux fscache: fix OOB Read in __fscache_acquire_volume 2022-12-02 17:43:08 +01:00
math-emu
media media: v4l: subdev: Fail graciously when getting try data for NULL state 2022-11-10 18:17:24 +01:00
memory
misc
net net: neigh: decrement the family specific qlen 2022-12-02 17:43:04 +01:00
pcmcia
ras mm, hwpoison: enable memory error handling on 1GB hugepage 2022-08-08 18:06:44 -07:00
rdma
rv
scsi scsi: stex: Properly zero out the passthrough command structure 2022-10-15 08:02:56 +02:00
soc ARM: at91: pm: avoid soft resetting AC DLL 2022-11-26 09:27:26 +01:00
sound ASoC: Intel: common: add ACPI matching tables for Raptor Lake 2022-11-04 00:00:28 +09:00
target
trace ARM: SoC fixes for 6.0-rc6 2022-09-22 11:10:11 -07:00
uapi audit: fix undefined behavior in bit shift for AUDIT_BIT 2022-12-02 17:42:59 +01:00
ufs scsi: ufs: core: Enable link lost interrupt 2022-08-11 22:04:32 -04:00
vdso
video
xen x86/xen: Add support for HVMOP_set_evtchn_upcall_vector 2022-08-12 11:28:21 +02:00