From: Andrew Morton <akpm@linux-foundation.org>
To: dhowells@redhat.com, gregkh@linuxfoundation.org,
jannh@google.com, mm-commits@vger.kernel.org,
stable@vger.kernel.org
Subject: + romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch added to -mm tree
Date: Tue, 18 Aug 2020 19:18:43 -0700 [thread overview]
Message-ID: <20200819021843.hSn2BuO_-%akpm@linux-foundation.org> (raw)
In-Reply-To: <20200814172939.55d6d80b6e21e4241f1ee1f3@linux-foundation.org>
The patch titled
Subject: romfs: fix uninitialized memory leak in romfs_dev_read()
has been added to the -mm tree. Its filename is
romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Jann Horn <jannh@google.com>
Subject: romfs: fix uninitialized memory leak in romfs_dev_read()
romfs has a superblock field that limits the size of the filesystem; data
beyond that limit is never accessed.
romfs_dev_read() fetches a caller-supplied number of bytes from the
backing device. It returns 0 on success or an error code on failure;
therefore, its API can't represent short reads, it's all-or-nothing.
However, when romfs_dev_read() detects that the requested operation would
cross the filesystem size limit, it currently silently truncates the
requested number of bytes. This e.g. means that when the content of a
file with size 0x1000 starts one byte before the filesystem size limit,
->readpage() will only fill a single byte of the supplied page while
leaving the rest uninitialized, leaking that uninitialized memory to
userspace.
Fix it by returning an error code instead of truncating the read when the
requested read operation would go beyond the end of the filesystem.
Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com
Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
fs/romfs/storage.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/romfs/storage.c~romfs-fix-uninitialized-memory-leak-in-romfs_dev_read
+++ a/fs/romfs/storage.c
@@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *s
size_t limit;
limit = romfs_maxsize(sb);
- if (pos >= limit)
+ if (pos >= limit || buflen > limit - pos)
return -EIO;
- if (buflen > limit - pos)
- buflen = limit - pos;
#ifdef CONFIG_ROMFS_ON_MTD
if (sb->s_mtd)
_
Patches currently in -mm which might be from jannh@google.com are
romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch
next prev parent reply other threads:[~2020-08-19 2:18 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-15 0:29 incoming Andrew Morton
2020-08-15 0:30 ` [patch 01/39] asm-generic: pgalloc.h: use correct #ifdef to enable pud_alloc_one() Andrew Morton
2020-08-15 0:30 ` [patch 02/39] Revert "mm/vmstat.c: do not show lowmem reserve protection information of empty zone" Andrew Morton
2020-08-15 0:30 ` [patch 03/39] lz4: fix kernel decompression speed Andrew Morton
2020-08-15 0:30 ` [patch 04/39] exec: restore EACCES of S_ISDIR execve() Andrew Morton
2020-08-15 0:30 ` [patch 05/39] selftests/exec: add file type errno tests Andrew Morton
2020-08-15 0:30 ` [patch 06/39] mailmap: add entry for Greg Kurz Andrew Morton
2020-08-15 0:30 ` [patch 07/39] mm: store compound_nr as well as compound_order Andrew Morton
2020-08-15 0:30 ` [patch 08/39] mm: move page-flags include to top of file Andrew Morton
2020-08-15 0:30 ` [patch 09/39] mm: add thp_order Andrew Morton
2020-08-15 0:30 ` [patch 10/39] mm: add thp_size Andrew Morton
2020-08-15 0:30 ` [patch 11/39] mm: replace hpage_nr_pages with thp_nr_pages Andrew Morton
2020-08-15 0:30 ` [patch 12/39] mm: add thp_head Andrew Morton
2020-08-15 0:30 ` [patch 13/39] mm: introduce offset_in_thp Andrew Morton
2020-08-15 0:30 ` [patch 14/39] fs: autofs: delete repeated words in comments Andrew Morton
2020-08-15 0:30 ` [patch 15/39] mm/madvise: pass task and mm to do_madvise Andrew Morton
2020-08-15 0:30 ` [patch 16/39] pid: move pidfd_get_pid() to pid.c Andrew Morton
2020-08-15 0:30 ` [patch 17/39] mm/madvise: introduce process_madvise() syscall: an external memory hinting API Andrew Morton
2020-08-16 8:12 ` Christian Brauner
2020-08-17 15:10 ` Minchan Kim
2020-08-15 0:31 ` [patch 18/39] mm/madvise: check fatal signal pending of target process Andrew Morton
2020-08-15 2:53 ` Linus Torvalds
2020-08-15 2:53 ` Linus Torvalds
2020-08-15 4:59 ` Minchan Kim
2020-08-15 14:57 ` Linus Torvalds
2020-08-15 14:57 ` Linus Torvalds
2020-08-15 18:34 ` Minchan Kim
2020-08-16 1:43 ` Linus Torvalds
2020-08-16 1:43 ` Linus Torvalds
2020-08-16 5:58 ` Minchan Kim
2020-08-15 0:31 ` [patch 19/39] all arch: remove system call sys_sysctl Andrew Morton
2020-08-15 0:31 ` [patch 20/39] mm/kmemleak: silence KCSAN splats in checksum Andrew Morton
2020-08-15 0:31 ` [patch 21/39] mm/frontswap: mark various intentional data races Andrew Morton
2020-08-15 0:31 ` [patch 22/39] mm/page_io: " Andrew Morton
2020-08-15 0:31 ` [patch 23/39] mm/swap_state: " Andrew Morton
2020-08-15 0:31 ` [patch 24/39] mm/filemap.c: fix a data race in filemap_fault() Andrew Morton
2020-08-15 0:31 ` [patch 25/39] mm/swapfile: fix and annotate various data races Andrew Morton
2020-08-15 0:31 ` [patch 26/39] mm/page_counter: fix various data races at memsw Andrew Morton
2020-08-15 0:31 ` [patch 27/39] mm/memcontrol: fix a data race in scan count Andrew Morton
2020-08-15 0:31 ` [patch 28/39] mm/list_lru: fix a data race in list_lru_count_one Andrew Morton
2020-08-15 0:31 ` [patch 29/39] mm/mempool: fix a data race in mempool_free() Andrew Morton
2020-08-15 0:31 ` [patch 30/39] mm/rmap: annotate a data race at tlb_flush_batched Andrew Morton
2020-08-15 0:31 ` [patch 31/39] mm/swap.c: annotate data races for lru_rotate_pvecs Andrew Morton
2020-08-15 0:31 ` [patch 32/39] mm: annotate a data race in page_zonenum() Andrew Morton
2020-08-15 0:31 ` [patch 33/39] include/asm-generic/vmlinux.lds.h: align ro_after_init Andrew Morton
2020-08-15 0:32 ` [patch 34/39] sh: clkfwk: remove r8/r16/r32 Andrew Morton
2020-08-15 0:32 ` [patch 35/39] sh: use generic strncpy() Andrew Morton
2020-08-15 0:32 ` [patch 36/39] iomap: constify ioreadX() iomem argument (as in generic implementation) Andrew Morton
2020-08-15 0:32 ` [patch 37/39] rtl818x: " Andrew Morton
2020-08-15 0:32 ` [patch 38/39] ntb: intel: " Andrew Morton
2020-08-15 0:32 ` [patch 39/39] virtio: pci: " Andrew Morton
2020-08-18 23:03 ` + mailmap-add-andi-kleen.patch added to -mm tree Andrew Morton
2020-08-18 23:05 ` + mm-account-pmd-tables-like-pte-tables.patch " Andrew Morton
2020-08-18 23:09 ` + mm-remove-activate_page-from-unuse_pte.patch " Andrew Morton
2020-08-18 23:09 ` + mm-remove-superfluous-__clearpageactive.patch " Andrew Morton
2020-08-18 23:09 ` + mm-remove-superfluous-__clearpagewaiters.patch " Andrew Morton
2020-08-18 23:49 ` + mm-madvise-introduce-process_madvise-syscall-an-external-memory-hinting-api-fix.patch " Andrew Morton
2020-08-18 23:50 ` + mm-slab-remove-duplicate-include.patch " Andrew Morton
2020-08-18 23:53 ` + mm-memory-fix-typo-in-__do_fault-comment.patch " Andrew Morton
2020-08-18 23:56 ` + proc-add-struct-mount-struct-super_block-addr-in-lx-mounts-command.patch " Andrew Morton
2020-08-18 23:56 ` + tasks-add-headers-and-improve-spacing-format.patch " Andrew Morton
2020-08-18 23:57 ` + mm-memoryc-replace-vmf-vma-with-variable-vma.patch " Andrew Morton
2020-08-19 1:30 ` + mm-page_reporting-drop-stale-list-head-check-in-page_reporting_cycle.patch " Andrew Morton
2020-08-19 1:31 ` + checkpatch-add-kconfig-prefix.patch " Andrew Morton
2020-08-19 1:32 ` + mm-memory-failure-do-pgoff-calculation-before-for_each_process.patch " Andrew Morton
2020-08-19 1:41 ` + hugetlb_cgroup-convert-comma-to-semicolon.patch " Andrew Morton
2020-08-19 1:42 ` + checkpatch-move-repeated-word-test.patch " Andrew Morton
2020-08-19 1:55 ` + mmap-locking-api-add-mmap_lock_is_contended.patch " Andrew Morton
2020-08-19 1:55 ` + mm-smaps-extend-smap_gather_stats-to-support-specified-beginning.patch " Andrew Morton
2020-08-19 1:55 ` + mm-proc-smaps_rollup-do-not-stall-write-attempts-on-mmap_lock.patch " Andrew Morton
2020-08-19 2:18 ` Andrew Morton [this message]
2020-08-19 2:23 ` + mm-util-update-the-kerneldoc-for-kstrdup_const.patch " Andrew Morton
2020-08-19 2:39 ` + kernel-relayc-fix-memleak-on-destroy-relay-channel.patch " Andrew Morton
2020-08-19 2:44 ` + device-dax-fix-mismatches-of-request_mem_region.patch " Andrew Morton
2020-08-19 2:49 ` + uprobes-__replace_page-avoid-bug-in-munlock_vma_page.patch " Andrew Morton
2020-08-19 2:55 ` + mm-page_alloc-tweak-comments-in-has_unmovable_pages.patch " Andrew Morton
2020-08-19 2:55 ` + mm-page_isolation-exit-early-when-pageblock-is-isolated-in-set_migratetype_isolate.patch " Andrew Morton
2020-08-19 2:55 ` + mm-page_isolation-drop-warn_on_once-in-set_migratetype_isolate.patch " Andrew Morton
2020-08-19 2:55 ` + mm-page_isolation-cleanup-set_migratetype_isolate.patch " Andrew Morton
2020-08-19 2:55 ` + virtio-mem-dont-special-case-zone_movable.patch " Andrew Morton
2020-08-19 2:55 ` + mm-document-semantics-of-zone_movable.patch " Andrew Morton
2020-08-19 3:09 ` + mm-gup_benchmark-use-pin_user_pages-for-foll_longterm-flag.patch " Andrew Morton
2020-08-19 3:13 ` + squashfs-avoid-bio_alloc-failure-with-1mbyte-blocks.patch " Andrew Morton
2020-08-19 3:19 ` + mm-include-cma-pages-in-lowmem_reserve-at-boot.patch " Andrew Morton
2020-08-19 3:21 ` + mm-dmapoolc-replace-open-coded-list_for_each_entry_safe.patch " Andrew Morton
2020-08-19 3:21 ` + mm-dmapoolc-replace-hard-coded-function-name-with-__func__.patch " Andrew Morton
2020-08-19 3:27 ` + mm-slub-branch-optimization-in-free-slowpath.patch " Andrew Morton
2020-08-19 3:39 ` [to-be-updated] mm-page_alloc-keep-memoryless-cpuless-node-0-offline.patch removed from " Andrew Morton
2020-08-19 3:39 ` [to-be-updated] powerpc-numa-set-numa_node-for-all-possible-cpus.patch " Andrew Morton
2020-08-19 3:39 ` [to-be-updated] powerpc-numa-prefer-node-id-queried-from-vphn.patch " Andrew Morton
2020-08-19 3:50 ` + mm-memcg-warning-on-memcg-after-readahead-page-charged.patch added to " Andrew Morton
2020-08-19 3:50 ` + mm-memcg-remove-useless-check-on-page-mem_cgroup.patch " Andrew Morton
2020-08-19 3:50 ` + mm-thp-move-lru_add_page_tail-func-to-huge_memoryc.patch " Andrew Morton
2020-08-19 3:50 ` + mm-thp-clean-up-lru_add_page_tail.patch " Andrew Morton
2020-08-19 3:50 ` + mm-thp-remove-code-path-which-never-got-into.patch " Andrew Morton
2020-08-19 3:50 ` + mm-thp-narrow-lru-locking.patch " Andrew Morton
2020-08-19 3:56 ` + mm-slub-fix-missing-alloc_slowpath-stat-when-bulk-alloc.patch " Andrew Morton
2020-08-19 17:20 ` + mm-mmap-add-inline-munmap_vma_range-for-code-readability.patch " Andrew Morton
2020-08-19 17:20 ` + mm-mmap-add-inline-vma_next-for-readability-of-mmap-code.patch " Andrew Morton
2020-08-19 17:47 ` + mm-gup-dont-permit-users-to-call-get_user_pages-with-foll_longterm.patch " Andrew Morton
2020-08-19 18:20 ` + mm-memory_hotplug-inline-__offline_pages-into-offline_pages.patch " Andrew Morton
2020-08-19 18:20 ` + mm-memory_hotplug-enforce-section-granularity-when-onlining-offlining.patch " Andrew Morton
2020-08-19 18:20 ` + mm-memory_hotplug-simplify-page-offlining.patch " Andrew Morton
2020-08-19 18:20 ` + mm-page_alloc-simplify-__offline_isolated_pages.patch " Andrew Morton
2020-08-19 18:20 ` + mm-memory_hotplug-drop-nr_isolate_pageblock-in-offline_pages.patch " Andrew Morton
2020-08-19 18:20 ` + mm-page_isolation-simplify-return-value-of-start_isolate_page_range.patch " Andrew Morton
2020-08-19 18:20 ` + mm-memory_hotplug-simplify-page-onlining.patch " Andrew Morton
2020-08-19 18:20 ` + mm-page_alloc-drop-stale-pageblock-comment-in-memmap_init_zone.patch " Andrew Morton
2020-08-19 18:21 ` + mm-pass-migratetype-into-memmap_init_zone-and-move_pfn_range_to_zone.patch " Andrew Morton
2020-08-19 18:21 ` + mm-memory_hotplug-mark-pageblocks-migrate_isolate-while-onlining-memory.patch " Andrew Morton
2020-08-19 18:31 ` + mm-migrate-avoid-possible-unnecessary-process-right-check-in-kernel_move_pages.patch " Andrew Morton
2020-08-19 18:34 ` + mm-fix-missing-function-declaration.patch " Andrew Morton
2020-08-19 18:36 ` + ia64-fix-build-error-with-coredump.patch " Andrew Morton
2020-08-19 19:01 ` + mm-debug-do-not-dereference-i_ino-blindly.patch " Andrew Morton
2020-08-19 19:02 ` + mm-highmem-clean-up-endif-comments.patch " Andrew Morton
2020-08-19 19:27 ` + kvm-ppc-book3s-hv-simplify-kvm_cma_reserve.patch " Andrew Morton
2020-08-19 19:27 ` + dma-contiguous-simplify-cma_early_percent_memory.patch " Andrew Morton
2020-08-19 19:27 ` + arm-xtensa-simplify-initialization-of-high-memory-pages.patch " Andrew Morton
2020-08-19 19:27 ` + arm64-numa-simplify-dummy_numa_init.patch " Andrew Morton
2020-08-19 19:27 ` + h8300-nds32-openrisc-simplify-detection-of-memory-extents.patch " Andrew Morton
2020-08-19 19:27 ` + riscv-drop-unneeded-node-initialization.patch " Andrew Morton
2020-08-19 19:27 ` + mircoblaze-drop-unneeded-numa-and-sparsemem-initializations.patch " Andrew Morton
2020-08-19 19:27 ` + memblock-make-for_each_memblock_type-iterator-private.patch " Andrew Morton
2020-08-19 19:27 ` + memblock-make-memblock_debug-and-related-functionality-private.patch " Andrew Morton
2020-08-19 19:27 ` + memblock-make-memblock_debug-and-related-functionality-private-fix.patch " Andrew Morton
2020-08-19 19:27 ` + memblock-reduce-number-of-parameters-in-for_each_mem_range.patch " Andrew Morton
2020-08-19 19:27 ` + arch-mm-replace-for_each_memblock-with-for_each_mem_pfn_range.patch " Andrew Morton
2020-08-19 19:27 ` + arch-drivers-replace-for_each_membock-with-for_each_mem_range.patch " Andrew Morton
2020-08-19 19:28 ` + x86-setup-simplify-initrd-relocation-and-reservation.patch " Andrew Morton
2020-08-19 19:28 ` + x86-setup-simplify-reserve_crashkernel.patch " Andrew Morton
2020-08-19 19:28 ` + memblock-remove-unused-memblock_mem_size.patch " Andrew Morton
2020-08-19 19:28 ` + memblock-implement-for_each_reserved_mem_region-using-__next_mem_region.patch " Andrew Morton
2020-08-19 19:28 ` + memblock-use-separate-iterators-for-memory-and-reserved-regions.patch " Andrew Morton
2020-08-19 19:31 ` + fs-ocfs2-delete-repeated-words-in-comments.patch " Andrew Morton
2020-08-19 19:32 ` + fs-configfs-delete-repeated-words-in-comments.patch " Andrew Morton
2020-08-19 19:37 ` + mm-slub-make-add_full-condition-more-explicit.patch " Andrew Morton
2020-08-19 19:39 ` + memremap-convert-devmap-static-branch-to-incdec.patch " Andrew Morton
2020-08-19 19:53 ` + scripts-tagssh-exclude-tools-directory-from-tags-generation.patch " Andrew Morton
2020-08-19 19:54 ` + docs-vm-fix-mm_count-vs-mm_users-counter-confusion.patch " Andrew Morton
2020-08-19 20:08 ` + mm-thp-swap-fix-allocating-cluster-for-swapfile-by-mistake.patch " Andrew Morton
2020-08-19 20:14 ` + mm-mmap-rename-__vma_unlink_common-to-__vma_unlink.patch " Andrew Morton
2020-08-19 20:14 ` + mm-mmap-leverage-vma_rb_erase_ignore-to-implement-vma_rb_erase.patch " Andrew Morton
2020-08-19 20:19 ` + mm-slub-re-initialize-randomized-freelist-sequence-in-calculate_sizes.patch " Andrew Morton
2020-08-19 20:32 ` + mm-dump_page-rename-head_mapcount-head_compound_mapcount.patch " Andrew Morton
2020-08-19 20:35 ` + bitops-simplify-get_count_order_long.patch " Andrew Morton
2020-08-19 20:35 ` + bitops-use-the-same-mechanism-for-get_count_order.patch " Andrew Morton
2020-08-19 21:14 ` + panic-dump-registers-on-panic_on_warn.patch " Andrew Morton
2020-08-19 21:29 ` + mm-slub-re-initialize-randomized-freelist-sequence-in-calculate_sizes-fix.patch " Andrew Morton
2020-08-19 21:31 ` + checkpatch-add-test-for-comma-use-that-should-be-semicolon.patch " Andrew Morton
2020-08-19 21:43 ` + mm-memcontrol-use-flex_array_size-helper-in-memcpy.patch " Andrew Morton
2020-08-19 21:43 ` + mm-memcontrol-use-the-preferred-form-for-passing-the-size-of-a-structure-type.patch " Andrew Morton
2020-08-19 23:09 ` mmotm 2020-08-19-16-09 uploaded Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200819021843.hSn2BuO_-%akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mm-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.