From patchwork Fri Aug 21 00:42:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 265239 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C520C433DF for ; Fri, 21 Aug 2020 00:42:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 00B53207DF for ; Fri, 21 Aug 2020 00:42:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597970537; bh=OlGxIascbHIUZun41BFql3oNdYaebmCmIUt072WhhrM=; h=Date:From:To:Subject:In-Reply-To:List-ID:From; b=DaCIT+FjoCC41kvDJbjbJ12ijNbM+FCA1pGUx5ItsBjfpEFUIdDF45ZlCWP/8tJqW /NYvSrvDf3UF8iRT/msevfv1d2FUSbOJTdtsYOM9KBbWALxvBTFiBlzjaiUxfT4ph2 K1vOm8OW6nAJhaJj44j/tizOsz1+35CzZbEAi1co= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726938AbgHUAmP (ORCPT ); Thu, 20 Aug 2020 20:42:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:35498 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727013AbgHUAmM (ORCPT ); Thu, 20 Aug 2020 20:42:12 -0400 Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DF7522087D; Fri, 21 Aug 2020 00:42:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597970532; bh=OlGxIascbHIUZun41BFql3oNdYaebmCmIUt072WhhrM=; h=Date:From:To:Subject:In-Reply-To:From; b=oxLmkQuvJRdiZDxiY5OHxzBOiaY/Su417hN6czHfJjEPqJEkspjDGBrRcnHPoiBzm wcAPhwKEIQ9McnXR+47hCY2RAKurR4xe5IPp1brYlIdnb1KWhBVK1Zg27lWxezTtop cRyyYi/F0JjlltFPlqMwGiait+F/+miw1GOeFDn4= Date: Thu, 20 Aug 2020 17:42:11 -0700 From: Andrew Morton To: akpm@linux-foundation.org, dhowells@redhat.com, gregkh@linuxfoundation.org, jannh@google.com, linux-mm@kvack.org, mm-commits@vger.kernel.org, stable@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 06/11] romfs: fix uninitialized memory leak in romfs_dev_read() Message-ID: <20200821004211.g7aXs16ZQ%akpm@linux-foundation.org> In-Reply-To: <20200820174132.67fd4a7a9359048f807a533b@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jann Horn Subject: romfs: fix uninitialized memory leak in romfs_dev_read() romfs has a superblock field that limits the size of the filesystem; data beyond that limit is never accessed. romfs_dev_read() fetches a caller-supplied number of bytes from the backing device. It returns 0 on success or an error code on failure; therefore, its API can't represent short reads, it's all-or-nothing. However, when romfs_dev_read() detects that the requested operation would cross the filesystem size limit, it currently silently truncates the requested number of bytes. This e.g. means that when the content of a file with size 0x1000 starts one byte before the filesystem size limit, ->readpage() will only fill a single byte of the supplied page while leaving the rest uninitialized, leaking that uninitialized memory to userspace. Fix it by returning an error code instead of truncating the read when the requested read operation would go beyond the end of the filesystem. Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly") Signed-off-by: Jann Horn Reviewed-by: Greg Kroah-Hartman Cc: David Howells Cc: Signed-off-by: Andrew Morton --- fs/romfs/storage.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/fs/romfs/storage.c~romfs-fix-uninitialized-memory-leak-in-romfs_dev_read +++ a/fs/romfs/storage.c @@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *s size_t limit; limit = romfs_maxsize(sb); - if (pos >= limit) + if (pos >= limit || buflen > limit - pos) return -EIO; - if (buflen > limit - pos) - buflen = limit - pos; #ifdef CONFIG_ROMFS_ON_MTD if (sb->s_mtd)