From: Ronald Monthero <debug.penguin32@gmail.com>
To: al@alarsen.net
Cc: keescook@chromium.org, gustavoars@kernel.org,
Ronald Monthero <debug.penguin32@gmail.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] qnx4: fix to avoid panic due to buffer overflow
Date: Sun, 12 Nov 2023 19:53:53 +1000 [thread overview]
Message-ID: <20231112095353.579855-1-debug.penguin32@gmail.com> (raw)
qnx4 dir name length can vary to be of maximum size
QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether
'link info' entry is stored and the status byte is set.
So to avoid buffer overflow check di_fname length
fetched from (struct qnx4_inode_entry *)
before use in strlen to avoid buffer overflow.
panic context
[ 4849.636861] detected buffer overflow in strlen
[ 4849.636897] ------------[ cut here ]------------
[ 4849.636902] kernel BUG at lib/string.c:1165!
[ 4849.636917] invalid opcode: 0000 [#2] SMP PTI
..
[ 4849.637047] Call Trace:
[ 4849.637053] <TASK>
[ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637111] ? show_regs.part.0+0x23/0x29
[ 4849.637123] ? __die_body.cold+0x8/0xd
[ 4849.637135] ? __die+0x2b/0x37
[ 4849.637147] ? die+0x30/0x60
[ 4849.637161] ? do_trap+0xbe/0x100
[ 4849.637171] ? do_error_trap+0x6f/0xb0
[ 4849.637180] ? fortify_panic+0x13/0x15
[ 4849.637192] ? exc_invalid_op+0x53/0x70
[ 4849.637203] ? fortify_panic+0x13/0x15
[ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20
[ 4849.637228] ? fortify_panic+0x13/0x15
[ 4849.637240] ? fortify_panic+0x13/0x15
[ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4]
[ 4849.637275] __lookup_slow+0x85/0x150
[ 4849.637291] walk_component+0x145/0x1c0
[ 4849.637304] ? path_init+0x2c0/0x3f0
[ 4849.637316] path_lookupat+0x6e/0x1c0
[ 4849.637330] filename_lookup+0xcf/0x1d0
[ 4849.637341] ? __check_object_size+0x1d/0x30
[ 4849.637354] ? strncpy_from_user+0x44/0x150
[ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0
[ 4849.637375] user_path_at_empty+0x3f/0x60
[ 4849.637383] vfs_statx+0x7a/0x130
[ 4849.637393] do_statx+0x45/0x80
..
Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
---
fs/qnx4/namei.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
index 8d72221735d7..825b891a52b3 100644
--- a/fs/qnx4/namei.c
+++ b/fs/qnx4/namei.c
@@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name,
} else {
namelen = QNX4_SHORT_NAME_MAX;
}
+
+ /** qnx4 dir name length can vary, check the di_fname
+ * fetched from (struct qnx4_inode_entry *) before use in
+ * strlen to avoid panic due to buffer overflow"
+ */
+ if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname))
+ return -ENAMETOOLONG;
thislen = strlen( de->di_fname );
if ( thislen > namelen )
thislen = namelen;
--
2.34.1
next reply other threads:[~2023-11-12 9:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-12 9:53 Ronald Monthero [this message]
2023-11-12 16:16 ` [PATCH] qnx4: fix to avoid panic due to buffer overflow Anders Larsen
2023-11-13 9:25 ` Ronald Monthero
2023-11-13 15:40 ` Anders Larsen
2023-11-14 14:38 ` Ronald Monthero
2023-11-16 14:29 ` Kees Cook
2023-11-16 14:58 ` Kees Cook
2023-11-16 16:48 ` Anders Larsen
2023-11-16 18:26 ` Kees Cook
2023-11-18 8:38 ` Ronald Monthero
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231112095353.579855-1-debug.penguin32@gmail.com \
--to=debug.penguin32@gmail.com \
--cc=al@alarsen.net \
--cc=gustavoars@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).