From: asmadeus@codewreck.org
To: Peng Zhang <zhangpeng362@huawei.com>, dhowells@redhat.com
Cc: ericvh@gmail.com, lucho@ionkov.net, linux_oss@crudebyte.com,
jlayton@kernel.org, v9fs-developer@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com
Subject: Re: [PATCH] fscache: fix OOB Read in __fscache_acquire_volume
Date: Tue, 15 Nov 2022 21:37:12 +0900 [thread overview]
Message-ID: <Y3OH+Dmi0QIOK18n@codewreck.org> (raw)
In-Reply-To: <20221115122701.2117502-1-zhangpeng362@huawei.com>
Peng Zhang wrote on Tue, Nov 15, 2022 at 12:27:01PM +0000:
> The type of a->key[0] is char. If the length of cache volume key is
> greater than 127, the value of a->key[0] is less than 0. In this case,
> klen becomes much larger than 255 after type conversion, because the
> type of klen is size_t. As a result, memcmp() is read out of bounds. Fix
> this by adding a check on the length of the key in
> v9fs_cache_session_get_cookie().
Thanks for the analysis. (it took me a while to understand what a->key
was about, this is referring to the code in fscache_volume_same...)
It feels like that's another problem that could be avoided by using
unsigned... but I don't know enough about fscache to comment seriously
about whether that'd be viable or not, and it'd just punt the limit from
127 to 255 anyway.
Rather than this patch, I've had a quick look at afs/cifs/ceph and it
doesen't look like any of these check the name length before calling
fscache_acquire_volume either -- I'd say it's worth moving that check
there.
Perhaps in fscahce_alloc_volume() they already compute
klen = strlen(volume_key) to store it in key[0] -- making sure it fits
a signed char before writing key[0] sounds like a good idea that'd
benefit everyone?
Please test this (feel free to resend that):
---
diff --git a/fs/fscache/volume.c b/fs/fscache/volume.c
index a058e0136bfe..cc206d5e4cc7 100644
--- a/fs/fscache/volume.c
+++ b/fs/fscache/volume.c
@@ -230,6 +230,8 @@ static struct fscache_volume *fscache_alloc_volume(const char *volume_key,
* hashing easier.
*/
klen = strlen(volume_key);
+ if (klen > 127)
+ goto err_cache;
hlen = round_up(1 + klen + 1, sizeof(__le32));
key = kzalloc(hlen, GFP_KERNEL);
if (!key)
---
David, comments welcome :)
--
Dominique
next prev parent reply other threads:[~2022-11-15 12:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-15 12:27 [PATCH] fscache: fix OOB Read in __fscache_acquire_volume Peng Zhang
2022-11-15 12:37 ` asmadeus [this message]
[not found] <54854a71-5856-f80f-d8cb-ab75b826ba5f@huawei.com>
2022-11-17 15:39 ` David Howells
2022-11-18 7:00 ` David Howells
2022-11-21 16:31 David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y3OH+Dmi0QIOK18n@codewreck.org \
--to=asmadeus@codewreck.org \
--cc=dhowells@redhat.com \
--cc=ericvh@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.