All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, dhowells@redhat.com,
	gregkh@linuxfoundation.org, jannh@google.com, linux-mm@kvack.org,
	mm-commits@vger.kernel.org, stable@vger.kernel.org,
	torvalds@linux-foundation.org
Subject: [patch 06/11] romfs: fix uninitialized memory leak in romfs_dev_read()
Date: Thu, 20 Aug 2020 17:42:11 -0700	[thread overview]
Message-ID: <20200821004211.g7aXs16ZQ%akpm@linux-foundation.org> (raw)
In-Reply-To: <20200820174132.67fd4a7a9359048f807a533b@linux-foundation.org>

From: Jann Horn <jannh@google.com>
Subject: romfs: fix uninitialized memory leak in romfs_dev_read()

romfs has a superblock field that limits the size of the filesystem; data
beyond that limit is never accessed.

romfs_dev_read() fetches a caller-supplied number of bytes from the
backing device.  It returns 0 on success or an error code on failure;
therefore, its API can't represent short reads, it's all-or-nothing.

However, when romfs_dev_read() detects that the requested operation would
cross the filesystem size limit, it currently silently truncates the
requested number of bytes.  This e.g.  means that when the content of a
file with size 0x1000 starts one byte before the filesystem size limit,
->readpage() will only fill a single byte of the supplied page while
leaving the rest uninitialized, leaking that uninitialized memory to
userspace.

Fix it by returning an error code instead of truncating the read when the
requested read operation would go beyond the end of the filesystem.

Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com
Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/romfs/storage.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/fs/romfs/storage.c~romfs-fix-uninitialized-memory-leak-in-romfs_dev_read
+++ a/fs/romfs/storage.c
@@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *s
 	size_t limit;
 
 	limit = romfs_maxsize(sb);
-	if (pos >= limit)
+	if (pos >= limit || buflen > limit - pos)
 		return -EIO;
-	if (buflen > limit - pos)
-		buflen = limit - pos;
 
 #ifdef CONFIG_ROMFS_ON_MTD
 	if (sb->s_mtd)
_

  parent reply	other threads:[~2020-08-21  0:42 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-21  0:41 incoming Andrew Morton
2020-08-21  0:41 ` [patch 01/11] mailmap: add Andi Kleen Andrew Morton
2020-08-21  0:41 ` [patch 02/11] hugetlb_cgroup: convert comma to semicolon Andrew Morton
2020-08-21  0:42 ` [patch 03/11] khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() Andrew Morton
2020-08-21  0:42 ` [patch 04/11] mm/vunmap: add cond_resched() in vunmap_pmd_range Andrew Morton
2020-08-21  0:42 ` [patch 05/11] mm/rodata_test.c: fix missing function declaration Andrew Morton
2020-08-21  0:42 ` Andrew Morton [this message]
2020-08-21  0:42 ` [patch 07/11] kernel/relay.c: fix memleak on destroy relay channel Andrew Morton
2020-08-21  0:42 ` [patch 08/11] uprobes: __replace_page() avoid BUG in munlock_vma_page() Andrew Morton
2020-08-21  0:42 ` [patch 09/11] squashfs: avoid bio_alloc() failure with 1Mbyte blocks Andrew Morton
2020-08-21  0:42 ` [patch 10/11] mm: include CMA pages in lowmem_reserve at boot Andrew Morton
2020-08-21  0:42 ` [patch 11/11] mm, page_alloc: fix core hung in free_pcppages_bulk() Andrew Morton
2020-08-21  3:51 ` + fs-binfmt_elf-use-pt_load-p_align-values-for-suitable-start-address-fix.patch added to -mm tree Andrew Morton
2020-08-21 19:57 ` + mm-kmemleak-rely-on-rcu-for-task-stack-scanning.patch " Andrew Morton
2020-08-21 19:58 ` + get_maintainer-exclude-maintainers-files-from-git-fallback.patch " Andrew Morton
2020-08-21 21:33 ` + checkpatch-fix-the-usage-of-capture-group.patch " Andrew Morton
2020-08-21 21:36 ` + mm-gup_benchmark-update-the-documentation-in-kconfig.patch " Andrew Morton
2020-08-21 21:48 ` + mm-madvise-fix-vma-user-after-free.patch " Andrew Morton
2020-08-21 22:34 ` + mm-track-page-table-modifications-in-__apply_to_page_range.patch " Andrew Morton
2020-08-26  1:38 ` + x86-numa-add-nohmat-option-fix.patch " Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200821004211.g7aXs16ZQ%akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jannh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mm-commits@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.