* linux-next: Fixes tag needs some work in the overlayfs tree
@ 2020-05-13 0:23 Stephen Rothwell
2020-05-13 15:08 ` [PATCH v3] ovl: potential crash in ovl_fid_to_fh() Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Rothwell @ 2020-05-13 0:23 UTC (permalink / raw)
To: Miklos Szeredi
Cc: Linux Next Mailing List, Linux Kernel Mailing List, Dan Carpenter
[-- Attachment #1: Type: text/plain, Size: 277 bytes --]
Hi all,
In commit
8d628847a2f8 ("ovl: potential crash in ovl_fid_to_fh()")
Fixes tag
Fixes: cbe7fba8edfc: ("ovl: make sure that real fid is 32bit aligned in memory")
has these problem(s):
- unexpected colon after SHA1
--
Cheers,
Stephen Rothwell
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* [PATCH v3] ovl: potential crash in ovl_fid_to_fh()
2020-05-13 0:23 linux-next: Fixes tag needs some work in the overlayfs tree Stephen Rothwell
@ 2020-05-13 15:08 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2020-05-13 15:08 UTC (permalink / raw)
To: Miklos Szeredi, Amir Goldstein
Cc: linux-unionfs, kernel-janitors, Linux Next Mailing List,
Linux Kernel Mailing List, Stephen Rothwell
The "buflen" value comes from the user and there is a potential that it
could be zero. In do_handle_to_path() we know that "handle->handle_bytes"
is non-zero and we do:
handle_dwords = handle->handle_bytes >> 2;
So values 1-3 become zero. Then in ovl_fh_to_dentry() we do:
int len = fh_len << 2;
So now len is in the "0,4-128" range and a multiple of 4. But if
"buflen" is zero it will try to copy negative bytes when we do the
memcpy in ovl_fid_to_fh().
memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
And that will lead to a crash. Thanks to Amir Goldstein for his help
with this patch.
Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
---
v2: Move the check after the other checks
v3: Fix Fixes tag
fs/overlayfs/export.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
index 475c61f53f0fe..ed5c1078919cc 100644
--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -783,6 +783,9 @@ static struct ovl_fh *ovl_fid_to_fh(struct fid *fid, int buflen, int fh_type)
if (fh_type != OVL_FILEID_V0)
return ERR_PTR(-EINVAL);
+ if (buflen <= OVL_FH_WIRE_OFFSET)
+ return ERR_PTR(-EINVAL);
+
fh = kzalloc(buflen, GFP_KERNEL);
if (!fh)
return ERR_PTR(-ENOMEM);
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* linux-next: Fixes tag needs some work in the overlayfs tree
@ 2019-09-11 14:01 Stephen Rothwell
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Rothwell @ 2019-09-11 14:01 UTC (permalink / raw)
To: Miklos Szeredi
Cc: Linux Next Mailing List, Linux Kernel Mailing List, Ding Xiang
[-- Attachment #1: Type: text/plain, Size: 428 bytes --]
Hi all,
In commit
f31e81889715 ("ovl: Fix dereferencing possible ERR_PTR()")
Fixes tag
Fixes: 9b6faee0747 ("ovl: check ERR_PTR() return value from ovl_encode_fh()")
has these problem(s):
- SHA1 should be at least 12 digits long
Can be fixed by setting core.abbrev to 12 (or more) or (for git v2.11
or later) just making sure it is not set (or set to "auto").
--
Cheers,
Stephen Rothwell
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-13 15:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-13 0:23 linux-next: Fixes tag needs some work in the overlayfs tree Stephen Rothwell
2020-05-13 15:08 ` [PATCH v3] ovl: potential crash in ovl_fid_to_fh() Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2019-09-11 14:01 linux-next: Fixes tag needs some work in the overlayfs tree Stephen Rothwell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).