From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.5 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 604F8C433DF for ; Fri, 10 Jul 2020 08:59:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 31150207BC for ; Fri, 10 Jul 2020 08:59:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="ekpALOaK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727839AbgGJI7u (ORCPT ); Fri, 10 Jul 2020 04:59:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726644AbgGJI7t (ORCPT ); Fri, 10 Jul 2020 04:59:49 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 869ABC08C5CE; Fri, 10 Jul 2020 01:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=46zVvTCTOU6ly5L8DQ5CyQhpZx1njBDbWU2lkQmXjRM=; b=ekpALOaKRhzdpAi91A603FNUEc 8jMBLVjFMPuzRYer7Qk8uDweww316Rlk6rVKMIqXddXo4s80WblIH/eY1g8nYLCMvJPuctcp07LFW UQ1nR2uo+uqAi4+b9Zzk7kjs7L04URC0zXkRTzxS85EFisNDAk1kklxninKo5WGsOwAuxCiJK1A6S ++nJj9fxFOW9ks953HI7RCpcm1lt3GhTUvTAnXbmdN/25cOmzdKRZx97dVF0i7uT3734W97LG16Ks 8OShoni+XXPPyZiSb9D19+C4MeOJWQBND/w17rqHIGrhYEasy8nZxQnJ5Asz1hT4dOUf2W4mJjhbH 2L0eld0w==; Received: from 089144201169.atnat0010.highway.a1.net ([89.144.201.169] helo=localhost) by casper.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jtosY-00082k-5L; Fri, 10 Jul 2020 08:59:35 +0000 From: Christoph Hellwig To: ericvh@gmail.com, lucho@ionkov.net, asmadeus@codewreck.org Cc: v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Subject: [PATCH] net/9p: validate fds in p9_fd_open Date: Fri, 10 Jul 2020 10:57:22 +0200 Message-Id: <20200710085722.435850-1-hch@lst.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attemping a read or write, but a new warning added in linux-next upsets syzcaller. Fix this by just verifying the fds early on. Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig --- net/9p/trans_fd.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 13cd683a658ab6..1cd8ea0e493617 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -803,20 +803,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) return -ENOMEM; ts->rd = fget(rfd); + if (!ts->rd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_wr; ts->wr = fget(wfd); - if (!ts->rd || !ts->wr) { - if (ts->rd) - fput(ts->rd); - if (ts->wr) - fput(ts->wr); - kfree(ts); - return -EIO; - } + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; client->trans = ts; client->status = Connected; return 0; + +out_put_wr: + fput(ts->wr); +out_put_rd: + fput(ts->rd); +out_free_ts: + kfree(ts); + return -EIO; } static int p9_socket_open(struct p9_client *client, struct socket *csocket) -- 2.26.2