lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180331224541.GF18893@thunk.org>
Date:   Sat, 31 Mar 2018 18:45:41 -0400
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     syzbot <syzbot+730517f1d3fbe54a17c7@...kaller.appspotmail.com>
Cc:     linux-ext4@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev

Thanks for the report.  I believe the patch below should address the
problem reported at:

	https://syzkaller.appspot.com/bug?extid=730517f1d3fbe54a17c7

					- Ted

commit dbb59b993fe5f11cb195a094fe69a7f260285a5c
Author: Theodore Ts'o <tytso@....edu>
Date:   Sat Mar 31 18:41:59 2018 -0400

    ext4: force revalidation of directory pointer after seekdir(2)
    
    A malicious user could force the directory pointer to be in an invalid
    spot by using seekdir(2).  Use the mechanism we already have to notice
    if the directory has changed since the last time we called
    ext4_readdir() to force a revalidation of the pointer.
    
    Reported-by: syzbot+1236ce66f79263e8a862@...kaller.appspotmail.com
    Signed-off-by: Theodore Ts'o <tytso@....edu>
    Cc: stable@...r.kernel.org

diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
index da87cf757f7d..6ab7c2cf7136 100644
--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -365,13 +365,15 @@ static loff_t ext4_dir_llseek(struct file *file, loff_t offset, int whence)
 {
 	struct inode *inode = file->f_mapping->host;
 	int dx_dir = is_dx_dir(inode);
-	loff_t htree_max = ext4_get_htree_eof(file);
+	loff_t ret, htree_max = ext4_get_htree_eof(file);
 
 	if (likely(dx_dir))
-		return generic_file_llseek_size(file, offset, whence,
+		ret = generic_file_llseek_size(file, offset, whence,
 						    htree_max, htree_max);
 	else
-		return ext4_llseek(file, offset, whence);
+		ret = ext4_llseek(file, offset, whence);
+	file->f_version = inode_peek_iversion(inode) - 2;
+	return ret;
 }
 
 /*

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ