From patchwork Tue May 26 18:52:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225295 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AA3BC433E0 for ; Tue, 26 May 2020 19:21:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B08320776 for ; Tue, 26 May 2020 19:21:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590520888; bh=OSIyjFeWmXecL53OVI8UGmOLm+YGOusPJaisg9IFerw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nC/qcVVa5v+X5qq9U1JJPvMjwnXCuJ/XIGRYMvZX/ac2kO8ajTBo0ffy5y/3LP/tE cMD7crJw86qeny5EpytDOJm5R2sCxIXL9pJ4fwByzwtkDBCZVRw5P/qowH7a9qnwx+ 0GA/QxfAC87IvdpyYoSz+zI/sfUJNYZL/TOvTKcQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404081AbgEZTLo (ORCPT ); Tue, 26 May 2020 15:11:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:41192 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391865AbgEZTLo (ORCPT ); Tue, 26 May 2020 15:11:44 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 366CF20888; Tue, 26 May 2020 19:11:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590520303; bh=OSIyjFeWmXecL53OVI8UGmOLm+YGOusPJaisg9IFerw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=srFI718p7D8riauaplmB8QzQA87A/BXSHicWxw7LVzNDnP3C8ZFZQKqftB5O8XkqH gy4kQEwfdeRXEvZl9LLh8Ux87BL2BnS5UPwWqp4mQvDmAfLDf4e0YGYVX33mGYLC69 fQZhDqHSxlacX78KatejMS4zXQD1JEXBNYoYAVUg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Amir Goldstein , Miklos Szeredi , Sasha Levin Subject: [PATCH 5.6 006/126] ovl: potential crash in ovl_fid_to_fh() Date: Tue, 26 May 2020 20:52:23 +0200 Message-Id: <20200526183938.038330922@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200526183937.471379031@linuxfoundation.org> References: <20200526183937.471379031@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Dan Carpenter [ Upstream commit 9aafc1b0187322fa4fd4eb905d0903172237206c ] The "buflen" value comes from the user and there is a potential that it could be zero. In do_handle_to_path() we know that "handle->handle_bytes" is non-zero and we do: handle_dwords = handle->handle_bytes >> 2; So values 1-3 become zero. Then in ovl_fh_to_dentry() we do: int len = fh_len << 2; So now len is in the "0,4-128" range and a multiple of 4. But if "buflen" is zero it will try to copy negative bytes when we do the memcpy in ovl_fid_to_fh(). memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET); And that will lead to a crash. Thanks to Amir Goldstein for his help with this patch. Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory") Signed-off-by: Dan Carpenter Reviewed-by: Amir Goldstein Cc: # v5.5 Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin --- fs/overlayfs/export.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c index 6f54d70cef27..e605017031ee 100644 --- a/fs/overlayfs/export.c +++ b/fs/overlayfs/export.c @@ -777,6 +777,9 @@ static struct ovl_fh *ovl_fid_to_fh(struct fid *fid, int buflen, int fh_type) if (fh_type != OVL_FILEID_V0) return ERR_PTR(-EINVAL); + if (buflen <= OVL_FH_WIRE_OFFSET) + return ERR_PTR(-EINVAL); + fh = kzalloc(buflen, GFP_KERNEL); if (!fh) return ERR_PTR(-ENOMEM);