stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com,
	Dominique Martinet <dominique.martinet@cea.fr>,
	Eric Van Hensbergen <ericvh@gmail.com>,
	Latchesar Ionkov <lucho@ionkov.net>
Subject: [PATCH 3.18 44/47] 9p/net: put a lower bound on msize
Date: Fri, 11 Jan 2019 15:08:29 +0100	[thread overview]
Message-ID: <20190111131001.837522541@linuxfoundation.org> (raw)
In-Reply-To: <20190111130956.170952125@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dominique Martinet <dominique.martinet@cea.fr>

commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream.

If the requested msize is too small (either from command line argument
or from the server version reply), we won't get any work done.
If it's *really* too small, nothing will work, and this got caught by
syzbot recently (on a new kmem_cache_create_usercopy() call)

Just set a minimum msize to 4k in both code paths, until someone
complains they have a use-case for a smaller msize.

We need to check in both mount option and server reply individually
because the msize for the first version request would be unchecked
with just a global check on clnt->msize.

Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/9p/client.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -155,6 +155,12 @@ static int parse_opts(char *opts, struct
 				ret = r;
 				continue;
 			}
+			if (option < 4096) {
+				p9_debug(P9_DEBUG_ERROR,
+					 "msize should be at least 4k\n");
+				ret = -EINVAL;
+				continue;
+			}
 			clnt->msize = option;
 			break;
 		case Opt_trans:
@@ -979,10 +985,18 @@ static int p9_client_version(struct p9_c
 	else if (!strncmp(version, "9P2000", 6))
 		c->proto_version = p9_proto_legacy;
 	else {
+		p9_debug(P9_DEBUG_ERROR,
+			 "server returned an unknown version: %s\n", version);
 		err = -EREMOTEIO;
 		goto error;
 	}
 
+	if (msize < 4096) {
+		p9_debug(P9_DEBUG_ERROR,
+			 "server returned a msize < 4096: %d\n", msize);
+		err = -EREMOTEIO;
+		goto error;
+	}
 	if (msize < c->msize)
 		c->msize = msize;
 
@@ -1047,6 +1061,13 @@ struct p9_client *p9_client_create(const
 	if (clnt->msize > clnt->trans_mod->maxsize)
 		clnt->msize = clnt->trans_mod->maxsize;
 
+	if (clnt->msize < 4096) {
+		p9_debug(P9_DEBUG_ERROR,
+			 "Please specify a msize of at least 4k\n");
+		err = -EINVAL;
+		goto free_client;
+	}
+
 	err = p9_client_version(clnt);
 	if (err)
 		goto close_trans;



  parent reply	other threads:[~2019-01-11 14:16 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-11 14:07 [PATCH 3.18 00/47] 3.18.132-stable review Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 01/47] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 02/47] USB: serial: option: add HP lt4132 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 03/47] mmc: core: Reset HPI enabled state during re-init and in case of errors Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 04/47] mmc: omap_hsmmc: fix DMA API warning Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 05/47] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 06/47] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 07/47] x86/mtrr: Dont copy uninitialized gentry fields back to userspace Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 08/47] ax25: fix a use-after-free in ax25_fillin_cb() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 09/47] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 10/47] ipv6: explicitly initialize udp6_addr in udp_sock_create6() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 11/47] isdn: fix kernel-infoleak in capi_unlocked_ioctl Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 12/47] netrom: fix locking in nr_find_socket() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 13/47] packet: validate address length Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 14/47] packet: validate address length if non-zero Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 15/47] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 16/47] vhost: make sure used idx is seen before log in vhost_add_used_n() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 17/47] VSOCK: Send reset control packet when socket is partially bound Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 18/47] xen/netfront: tolerate frags with no data Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 19/47] sock: Make sock->sk_stamp thread-safe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 20/47] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 21/47] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 22/47] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 23/47] ext4: fix possible use after free in ext4_quota_enable Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 24/47] ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 25/47] ext4: force inode writes when nfsd calls commit_metadata() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 26/47] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 27/47] media: vivid: free bitmap_cap when updating std/timings/etc Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 28/47] MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 29/47] MIPS: Align kernel load address to 64KB Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 30/47] CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 31/47] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 32/47] fork: record start_time late Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 33/47] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 34/47] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 35/47] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 36/47] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 37/47] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 38/47] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 39/47] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 40/47] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 41/47] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 42/47] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 43/47] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:08 ` Greg Kroah-Hartman [this message]
2019-01-11 14:08 ` [PATCH 3.18 45/47] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 46/47] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 47/47] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 21:50 ` [PATCH 3.18 00/47] 3.18.132-stable review shuah
2019-01-12 14:58 ` Harsh Shandilya
2019-01-12 17:42 ` Guenter Roeck
2019-01-13  7:44   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190111131001.837522541@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dominique.martinet@cea.fr \
    --cc=ericvh@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucho@ionkov.net \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).