| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Jun 2020 14:49:51 -0600
From: Andreas Dilger <adilger@...ger.ca>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-ext4@...r.kernel.org, Daniel Rosenberg <drosen@...gle.com>,
stable@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net,
Al Viro <viro@...iv.linux.org.uk>,
linux-fsdevel@...r.kernel.org,
Gabriel Krisman Bertazi <krisman@...labora.co.uk>
Subject: Re: [PATCH v2] ext4: avoid utf8_strncasecmp() with unstable name
On Jun 1, 2020, at 2:05 PM, Eric Biggers <ebiggers@...nel.org> wrote:
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then
> it may be concurrently modified by a rename. This can cause undefined
> behavior (possibly out-of-bounds memory accesses or crashes) in
> utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings
> that may be concurrently modified.
>
> Fix this by first copying the filename to a stack buffer if needed.
> This way we get a stable snapshot of the filename.
>
> Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
> Cc: <stable@...r.kernel.org> # v5.2+
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Daniel Rosenberg <drosen@...gle.com>
> Cc: Gabriel Krisman Bertazi <krisman@...labora.co.uk>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
LGTM.
Reviewed-by: Andreas Dilger <adilger@...ger.ca>
> ---
>
> v2: use memcpy() + barrier() instead of a byte-by-byte copy.
>
> fs/ext4/dir.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
> index c654205f648dd..1d82336b1cd45 100644
> --- a/fs/ext4/dir.c
> +++ b/fs/ext4/dir.c
> @@ -675,6 +675,7 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
> struct qstr qstr = {.name = str, .len = len };
> const struct dentry *parent = READ_ONCE(dentry->d_parent);
> const struct inode *inode = READ_ONCE(parent->d_inode);
> + char strbuf[DNAME_INLINE_LEN];
>
> if (!inode || !IS_CASEFOLDED(inode) ||
> !EXT4_SB(inode->i_sb)->s_encoding) {
> @@ -683,6 +684,21 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
> return memcmp(str, name->name, len);
> }
>
> + /*
> + * If the dentry name is stored in-line, then it may be concurrently
> + * modified by a rename. If this happens, the VFS will eventually retry
> + * the lookup, so it doesn't matter what ->d_compare() returns.
> + * However, it's unsafe to call utf8_strncasecmp() with an unstable
> + * string. Therefore, we have to copy the name into a temporary buffer.
> + */
> + if (len <= DNAME_INLINE_LEN - 1) {
> + memcpy(strbuf, str, len);
> + strbuf[len] = 0;
> + qstr.name = strbuf;
> + /* prevent compiler from optimizing out the temporary buffer */
> + barrier();
> + }
> +
> return ext4_ci_compare(inode, name, &qstr, false);
> }
>
> --
> 2.26.2
>
Cheers, Andreas
Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)
Powered by blists - more mailing lists