From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH] romfs: Fix uninitialized memory leak in romfs_dev_read()
Date: Tue, 18 Aug 2020 03:32:02 +0200 [thread overview]
Message-ID: <20200818013202.2246365-1-jannh@google.com> (raw)
romfs has a superblock field that limits the size of the filesystem;
data beyond that limit is never accessed.
romfs_dev_read() fetches a caller-supplied number of bytes from the
backing device. It returns 0 on success or an error code on failure;
therefore, its API can't represent short reads, it's all-or-nothing.
However, when romfs_dev_read() detects that the requested operation
would cross the filesystem size limit, it currently silently truncates
the requested number of bytes. This e.g. means that when the content
of a file with size 0x1000 starts one byte before the filesystem size
limit, ->readpage() will only fill a single byte of the supplied page
while leaving the rest uninitialized, leaking that uninitialized memory
to userspace.
Fix it by returning an error code instead of truncating the read when
the requested read operation would go beyond the end of the filesystem.
Cc: stable@vger.kernel.org
Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly")
Signed-off-by: Jann Horn <jannh@google.com>
---
fs/romfs/storage.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c
index 6b2b4362089e..b57b3ffcbc32 100644
--- a/fs/romfs/storage.c
+++ b/fs/romfs/storage.c
@@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *sb, unsigned long pos,
size_t limit;
limit = romfs_maxsize(sb);
- if (pos >= limit)
+ if (pos >= limit || buflen > limit - pos)
return -EIO;
- if (buflen > limit - pos)
- buflen = limit - pos;
#ifdef CONFIG_ROMFS_ON_MTD
if (sb->s_mtd)
base-commit: bcf876870b95592b52519ed4aafcf9d95999bc9c
--
2.28.0.220.ged08abb693-goog
next reply other threads:[~2020-08-18 1:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 1:32 Jann Horn [this message]
2020-08-18 6:09 ` [PATCH] romfs: Fix uninitialized memory leak in romfs_dev_read() Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200818013202.2246365-1-jannh@google.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).