[5.6,006/126] ovl: potential crash in ovl_fid_to_fh()

Message ID	20200526183938.038330922@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=+fRt=7I=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>, Amir Goldstein <amir73il@gmail.com>, Miklos Szeredi <mszeredi@redhat.com>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.6 006/126] ovl: potential crash in ovl_fid_to_fh() Date: Tue, 26 May 2020 20:52:23 +0200 Message-Id: <20200526183938.038330922@linuxfoundation.org> In-Reply-To: <20200526183937.471379031@linuxfoundation.org> References: <20200526183937.471379031@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [5.6,003/126] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() [5.6,006/126] ovl: potential crash in ovl_fid_to_fh() [5.6,008/126] ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive [5.6,009/126] mtd: spinand: Propagate ECC information to the MTD structure [5.6,011/126] pipe: Fix pipe_full() test in opipe_prep(). [5.6,012/126] ubifs: remove broken lazytime support [5.6,014/126] iommu/amd: Fix over-read of ACPI UID from IVRS table [5.6,015/126] iommu/amd: Fix get_acpihid_device_id() [5.6,017/126] i2c: mux: demux-pinctrl: Fix an error handling path in i2c_demux_pinctrl_probe() [5.6,018/126] ubi: Fix seq_file usage in detailed_erase_block_info debugfs file [5.6,020/126] mtd: Fix mtd not registered due to nvmem name collision [5.6,022/126] kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check [5.6,023/126] net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report() [5.6,024/126] gcc-common.h: Update for GCC 10 [5.6,025/126] HID: multitouch: add eGalaxTouch P80H84 support [5.6,026/126] HID: logitech: Add support for Logitech G11 extra keys [5.6,028/126] HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead [5.6,029/126] scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV [5.6,032/126] vhost/vsock: fix packet delivery order to monitoring devices [5.6,034/126] component: Silence bind error on -EPROBE_DEFER [5.6,038/126] ibmvnic: Skip fatal error reset after passive init [5.6,039/126] ftrace/selftest: make unresolved cases cause failure if --fail-unresolved set [5.6,041/126] x86/apic: Move TSC deadline timer debug printk [5.6,044/126] ceph: fix double unlock in handle_cap_export() [5.6,045/126] stmmac: fix pointer check after utilization in stmmac_interrupt [5.6,047/126] platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA [5.6,050/126] drm/amd/display: fix counter in wait_for_no_pipes_pending [5.6,052/126] KVM: selftests: Fix build for evmcs.h [5.6,053/126] ARM: futex: Address build warning [5.6,055/126] scripts/gdb: repair rb_first() and rb_last() [5.6,057/126] ALSA: hda/realtek - Add HP new mute led supported for ALC236 [5.6,060/126] ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 [5.6,062/126] bpf: Restrict bpf_probe_read{, str}() only to archs where they work [5.6,063/126] bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range [5.6,064/126] ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option [5.6,067/126] ALSA: hda/realtek - Add more fixup entries for Clevo machines [5.6,069/126] scsi: target: Put lun_ref at end of tmr processing [5.6,072/126] drm/etnaviv: fix perfmon domain interation [5.6,074/126] apparmor: Fix use-after-free in aa_audit_rule_init [5.6,076/126] apparmor: Fix aa_label refcnt leak in policy_update [5.6,077/126] dmaengine: tegra210-adma: Fix an error handling path in tegra_adma_probe() [5.6,081/126] dmaengine: owl: Use correct lock in owl_dma_get_pchan() [5.6,082/126] vsprintf: dont obfuscate NULL and error pointers [5.6,085/126] Revert "gfs2: Dont demote a glock until its revokes are written" [5.6,087/126] Revert "driver core: platform: Initialize dma_parms for platform devices" [5.6,089/126] kbuild: Remove debug info from kallsyms linking [5.6,091/126] staging: wfx: unlock on error path [5.6,094/126] iio: adc: stm32-adc: fix device used to request dma [5.6,096/126] iio: sca3000: Remove an erroneous get_device() [5.6,097/126] iio: dac: vf610: Fix an error handling path in vf610_dac_probe() [5.6,098/126] iio: adc: ti-ads8344: Fix channel selection [5.6,102/126] tty: serial: add missing spin_lock_init for SiFive serial console [5.6,103/126] mei: release me_cl object reference [5.6,105/126] s390/pci: Fix s390_mmio_read/write with MIO [5.6,106/126] s390/kaslr: add support for R_390_JMP_SLOT relocation type [5.6,107/126] device-dax: dont leak kernel memory to user space after unloading kmem [5.6,109/126] kasan: disable branch tracing for core runtime [5.6,110/126] sh: include linux/time_types.h for sockios [5.6,112/126] sparc32: fix page table traversal in srmmu_nocache_init() [5.6,113/126] z3fold: fix use-after-free when freeing handles [5.6,115/126] rxrpc: Fix the excessive initial retransmission timeout [5.6,118/126] s390/kexec_file: fix initrd location for kdump kernel [5.6,121/126] rxrpc: Trace discarded ACKs [5.6,123/126] bpf: Prevent mmap()ing read-only maps as writable

Message ID

20200526183938.038330922@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
	Amir Goldstein <amir73il@gmail.com>,
	Miklos Szeredi <mszeredi@redhat.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.6 006/126] ovl: potential crash in ovl_fid_to_fh()
Date: Tue, 26 May 2020 20:52:23 +0200
Message-Id: <20200526183938.038330922@linuxfoundation.org>
In-Reply-To: <20200526183937.471379031@linuxfoundation.org>
References: <20200526183937.471379031@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman May 26, 2020, 6:52 p.m. UTC

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 9aafc1b0187322fa4fd4eb905d0903172237206c ]

The "buflen" value comes from the user and there is a potential that it
could be zero.  In do_handle_to_path() we know that "handle->handle_bytes"
is non-zero and we do:

	handle_dwords = handle->handle_bytes >> 2;

So values 1-3 become zero.  Then in ovl_fh_to_dentry() we do:

	int len = fh_len << 2;

So now len is in the "0,4-128" range and a multiple of 4.  But if
"buflen" is zero it will try to copy negative bytes when we do the
memcpy in ovl_fid_to_fh().

	memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);

And that will lead to a crash.  Thanks to Amir Goldstein for his help
with this patch.

Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Cc: <stable@vger.kernel.org> # v5.5
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/overlayfs/export.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
index 6f54d70cef27..e605017031ee 100644
--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -777,6 +777,9 @@  static struct ovl_fh *ovl_fid_to_fh(struct fid *fid, int buflen, int fh_type)
 	if (fh_type != OVL_FILEID_V0)
 		return ERR_PTR(-EINVAL);
 
+	if (buflen <= OVL_FH_WIRE_OFFSET)
+		return ERR_PTR(-EINVAL);
+
 	fh = kzalloc(buflen, GFP_KERNEL);
 	if (!fh)
 		return ERR_PTR(-ENOMEM);

[5.6,006/126] ovl: potential crash in ovl_fid_to_fh()

Commit Message

Patch