From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Al Viro" <viro@zeniv.linux.org.uk>
Subject: [PATCH 3.16 081/114] get_rock_ridge_filename(): handle malformed NM entries
Date: Mon, 13 Jun 2016 19:36:37 +0100 [thread overview]
Message-ID: <lsq.1465842997.432278116@decadent.org.uk> (raw)
In-Reply-To: <lsq.1465842997.838358341@decadent.org.uk>
3.16.36-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream.
Payloads of NM entries are not supposed to contain NUL. When we run
into such, only the part prior to the first NUL goes into the
concatenation (i.e. the directory entry name being encoded by a bunch
of NM entries). We do stop when the amount collected so far + the
claimed amount in the current NM entry exceed 254. So far, so good,
but what we return as the total length is the sum of *claimed*
sizes, not the actual amount collected. And that can grow pretty
large - not unlimited, since you'd need to put CE entries in
between to be able to get more than the maximum that could be
contained in one isofs directory entry / continuation chunk and
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
easily. And that's what will be passed to readdir callback as the
name length. 8Kb __copy_to_user() from a buffer allocated by
__get_free_page()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/isofs/rock.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_d
int retnamlen = 0;
int truncate = 0;
int ret = 0;
+ char *p;
+ int len;
if (!ISOFS_SB(inode->i_sb)->s_rock)
return 0;
@@ -267,12 +269,17 @@ repeat:
rr->u.NM.flags);
break;
}
- if ((strlen(retname) + rr->len - 5) >= 254) {
+ len = rr->len - 5;
+ if (retnamlen + len >= 254) {
truncate = 1;
break;
}
- strncat(retname, rr->u.NM.name, rr->len - 5);
- retnamlen += rr->len - 5;
+ p = memchr(rr->u.NM.name, '\0', len);
+ if (unlikely(p))
+ len = p - rr->u.NM.name;
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
+ retnamlen += len;
+ retname[retnamlen] = '\0';
break;
case SIG('R', 'E'):
kfree(rs.buffer);
next prev parent reply other threads:[~2016-06-13 19:00 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 18:36 [PATCH 3.16 000/114] 3.16.36-rc1 review Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 009/114] Input: gtco - fix crash on detecting device without endpoints Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 111/114] sched,rt: Remove return value from pull_rt_task() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 007/114] regulator: s2mps11: Fix invalid selector mask and voltages for buck9 Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 068/114] Minimal fix-up of bad hashing behavior of hash_64() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 061/114] batman-adv: Fix reference counting of vlan object for tt_local_entry Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 048/114] USB: serial: cp210x: add Straizona Focusers device ids Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 089/114] nf_conntrack: avoid kernel pointer value leak in slab name Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 036/114] net: ethernet: davinci_emac: Fix Unbalanced pm_runtime_enable Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 023/114] usb: hcd: out of bounds access in for_each_companion Ben Hutchings
2016-06-13 18:36 ` Ben Hutchings [this message]
2016-06-13 18:36 ` [PATCH 3.16 059/114] batman-adv: Fix invalid stack access in batadv_dat_select_candidates Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 031/114] Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 057/114] IB/security: Restrict use of the write() interface Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 038/114] atl2: Disable unimplemented scatter/gather feature Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 088/114] ocfs2: fix posix_acl_create deadlock Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 074/114] x86/sysfb_efi: Fix valid BAR address range check Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 069/114] tracing: Don't display trigger file for events that can't be enabled Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 087/114] ocfs2: dereferencing freed pointers in ocfs2_reflink() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 043/114] efi: Fix out-of-bounds read in variable_matches() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 092/114] xfs: use i_mmaplock on read faults Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 003/114] ASoC: rt5640: Correct the digital interface data select Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 055/114] ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 079/114] x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 047/114] USB: serial: cp210x: add ID for Link ECU Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 039/114] mm: hugetlb: allow hugepages_supported to be architecture specific Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 024/114] packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 107/114] arm64: psci: move psci firmware calls out of line Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 084/114] drm/i915: Bail out of pipe config compute loop on LPT Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 021/114] usb: xhci: fix wild pointers in xhci_mem_cleanup Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 109/114] sched: Replace post_schedule with a balance callback list Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 095/114] xfs: xfs_setattr_size no longer races with page faults Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 093/114] xfs: use i_mmaplock on write faults Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 034/114] drm/radeon: add a quirk for a XFX R9 270X Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 091/114] xfs: introduce mmap/truncate lock Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 051/114] net/mlx4_en: fix spurious timestamping callbacks Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 106/114] mm/balloon_compaction: fix deflation when compaction is disabled Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 114/114] sched, dl: Convert switched_{from, to}_dl() / prio_changed_dl() to balance callbacks Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 073/114] crypto: hash - Fix page length clamping in hash walk Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 027/114] crypto: ccp - Prevent information leakage on export Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 052/114] ALSA: hda - Add dock support for ThinkPad X260 Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 019/114] lib: lz4: fixed zram with lz4 on big endian machines Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 112/114] sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 018/114] spi: spi-ti-qspi: Handle truncated frames properly Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 045/114] batman-adv: Reduce refcnt of removed router when updating route Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 025/114] regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 035/114] futex: Acknowledge a new waiter in counter before plist Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 032/114] drm/i915/userptr: Hold mmref whilst calling get-user-pages Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 006/114] ARM: OMAP2+: hwmod: Fix updating of sysconfig register Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 083/114] ALSA: hda - Fix white noise on Asus UX501VW headset Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 066/114] powerpc: Fix bad inline asm constraint in create_zero_mask() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 049/114] libceph: kfree() in put_osd() shouldn't depend on authorizer Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 097/114] xfs: mmap lock needs to be inside freeze protection Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 090/114] xfs: fix swapext ilock deadlock Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 082/114] macvtap: segmented packet is consumed Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 076/114] propogate_mnt: Handle the first propogated copy being a slave Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 100/114] mm: migrate dirty page without clear_page_dirty_for_io etc Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 104/114] arm64: kernel: fix architected PMU registers unconditional access Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 030/114] iio: ak8975: Fix NULL pointer exception on early interrupt Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 056/114] rbd: fix rbd map vs notify races Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 098/114] compiler-gcc: integrate the various compiler-gcc[345].h files Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 053/114] workqueue: fix ghost PENDING flag while doing MQ IO Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 017/114] spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 040/114] s390/hugetlb: add hugepages_supported define Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 015/114] ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 050/114] libceph: make authorizer destruction independent of ceph_auth_client Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 110/114] sched: Allow balance callbacks for check_class_changed() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 096/114] xfs: lock out page faults from extent swap operations Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 004/114] HID: usbhid: fix inconsistent reset/resume/reset-resume behavior Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 062/114] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 078/114] proc: prevent accessing /proc/<PID>/environ until it's ready Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 105/114] mm/balloon_compaction: redesign ballooned pages management Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 075/114] fs/pnode.c: treat zero mnt_group_id-s as unequal Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 113/114] sched,dl: Remove return value from pull_dl_task() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 016/114] nl80211: check netlink protocol in socket release notification Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 063/114] atomic_open(): fix the handling of create_error Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 012/114] drm/i915: Exit cherryview_irq_handler() after one pass Ben Hutchings
2016-06-14 10:47 ` Ville Syrjälä
2016-06-14 11:37 ` Ben Hutchings
2016-06-14 12:08 ` Ville Syrjälä
2016-06-14 12:48 ` Ben Hutchings
2016-06-14 13:00 ` Ville Syrjälä
2016-06-13 18:36 ` [PATCH 3.16 101/114] net: fix infoleak in llc Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 022/114] USB: uas: Add a new NO_REPORT_LUNS quirk Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 005/114] ARM: OMAP2+: Only write the sysconfig on idle when necessary Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 064/114] Drivers: hv_vmbus: Fix signal to host condition Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 094/114] xfs: take i_mmap_lock on extent manipulation operations Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 046/114] batman-adv: Fix broadcast/ogm queue limit on a removed interface Ben Hutchings
2016-06-13 19:26 ` Linus Lüssing
2016-06-13 19:33 ` Sven Eckelmann
2016-06-13 22:53 ` Ben Hutchings
2016-06-14 6:07 ` Sven Eckelmann
2016-06-13 18:36 ` [PATCH 3.16 013/114] assoc_array: don't call compare_object() on a node Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 037/114] net: ethernet: davinci_emac: Fix platform_data overwrite Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 065/114] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 060/114] batman-adv: fix DAT candidate selection (must use vid) Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 054/114] drm/i915: Fix system resume if PCI device remained enabled Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 028/114] s390/spinlock: avoid yield to non existent cpu Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 070/114] drm/radeon: make sure vertical front porch is at least 1 Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 099/114] KEYS: Fix ASN.1 indefinite length object parsing Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 042/114] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 010/114] libahci: save port map for forced port map Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 085/114] ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 008/114] drm/qxl: fix cursor position with non-zero hotspot Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 080/114] parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 002/114] Revert "net: validate variable length ll headers" Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 072/114] ACPICA: Dispatcher: Update thread ID for recursive method calls Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 001/114] Revert "ax25: add link layer header validation function" Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 077/114] drm/radeon: fix PLL sharing on DCE6.1 (v2) Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 103/114] net: fix a kernel infoleak in x25 module Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 029/114] net: bcmgenet: device stats are unsigned long Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 086/114] tools lib traceevent: Do not reassign parg after collapse_tree() Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 102/114] net: fix infoleak in rtnetlink Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 041/114] x86/mm/xen: Suppress hugetlbfs in PV guests Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 011/114] s390/scm_blk: fix deadlock for requests != REQ_TYPE_FS Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 071/114] MAINTAINERS: Remove asterisk from EFI directory names Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 020/114] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 108/114] ARC: unbork !LLSC build Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 026/114] pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 067/114] Make hash_64() use a 64-bit multiply when appropriate Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 014/114] kvm: x86: do not leak guest xcr0 into host interrupt handlers Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 044/114] batman-adv: Check skb size before using encapsulated ETH+VLAN header Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 033/114] powerpc: scan_features() updates incorrect bits for REAL_LE Ben Hutchings
2016-06-13 18:36 ` [PATCH 3.16 058/114] mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check Ben Hutchings
2016-06-13 21:11 ` [PATCH 3.16 000/114] 3.16.36-rc1 review Sudip Mukherjee
2016-06-13 22:55 ` Ben Hutchings
2016-06-14 1:51 ` Guenter Roeck
2016-06-14 11:28 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1465842997.432278116@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).