On 8/13/18 2:04 PM, Jann Horn wrote: > On Mon, Aug 13, 2018 at 7:42 PM Will Deacon wrote: >> >> Hi Jann, >> >> On Fri, Aug 10, 2018 at 05:19:38AM +0200, Jann Horn wrote: >>> On Thu, Aug 2, 2018 at 5:16 PM Jann Horn wrote: >>>> >>>> This fixes the following issues: >>>> >>>> - When a buffer size is supplied to reiserfs_listxattr() such that each >>>> individual name fits, but the concatenation of all names doesn't >>>> fit, reiserfs_listxattr() overflows the supplied buffer. This leads to >>>> a kernel heap overflow (verified using KASAN) followed by an >>>> out-of-bounds usercopy and is therefore a security bug. >>>> - When a buffer size is supplied to reiserfs_listxattr() such that a name >>>> doesn't fit, -ERANGE should be returned. But reiserfs instead just >>>> truncates the list of names; I have verified that if the only xattr on >>>> a file has a longer name than the supplied buffer length, listxattr() >>>> incorrectly returns zero. >>>> >>>> With my patch applied, -ERANGE is returned in both cases and the memory >>>> corruption doesn't happen anymore. >>>> >>>> Credit for making me clean this code up a bit goes to Al Viro, who pointed >>>> out that the ->actor calling convention is suboptimal and should be >>>> changed. >>>> >>>> Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers") >>>> Cc: stable@vger.kernel.org >>>> Signed-off-by: Jann Horn >>> >>> +security@ >>> Ping. I have not received any replies to this patch, which fixes a >>> kernel security bug, for a week. >>> Whose tree should this go through? reiserfs is marked as "supported", >>> but does not have a maintainer or a git repo listed, just a >>> mailinglist, so I guess it probably has to go through either Al Viro's >>> or akpm's tree? Looks like akpm signed off on the last commits in >>> reiserfs... >> >> I think Andrew's tree makes the most sense for this, > > Yeah, Andrew has already merged it. :) > http://ozlabs.org/~akpm/mmots/broken-out/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch > >> but perhaps we should >> also patch MAINTAINERS so mark it as "Orphan"? Patch below. > > Either that, or get someone to step up as maintainer? If I read > https://marc.info/?l=reiserfs-devel&m=153214303506948&w=2#0 correctly, > there's still an intent to fix things in reiserfs, even though no > maintainer is listed. (Jeff Mahoney, who wrote that message and is > CC'ed on this thread, seems to have been out of office last week - when > I sent the "Ping" message a few days ago, I got a vacation > autoresponder "I'll be out of the office until 13 August" from him.) I suppose I can take a more active role here. I'm probably the person with the most experience with reiserfs who still has a role where I need to care about it. -Jeff >> Will >> >> --->8 >> >> From 07fbb021d5bbfe623fad10073b55704bda8e1f3d Mon Sep 17 00:00:00 2001 >> From: Will Deacon >> Date: Mon, 13 Aug 2018 18:31:50 +0100 >> Subject: [PATCH] MAINTAINERS: Mark reiserfs as Orphan >> >> Reiserfs has no Maintainer and random fixes tend to be merged through >> with Andrew or Al's tree. Demote the filesystem to "Orphan", since it's >> clear no longer supported by anybody. >> >> Reported-by: Jann Horn >> Signed-off-by: Will Deacon >> --- >> MAINTAINERS | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/MAINTAINERS b/MAINTAINERS >> index 544cac829cf4..b4fcc19cfb52 100644 >> --- a/MAINTAINERS >> +++ b/MAINTAINERS >> @@ -12077,7 +12077,7 @@ F: include/linux/regmap.h >> >> REISERFS FILE SYSTEM >> L: reiserfs-devel@vger.kernel.org >> -S: Supported >> +S: Orphan >> F: fs/reiserfs/ >> >> REMOTE PROCESSOR (REMOTEPROC) SUBSYSTEM >> -- >> 2.1.4 > -- Jeff Mahoney SUSE Labs