| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2018 00:58:53 +0300
From: Vasily Averin <vvs@...tuozzo.com>
To: linux-ext4@...r.kernel.org, Theodore Ts'o <tytso@....edu>
Cc: Andreas Dilger <adilger.kernel@...ger.ca>,
linux-kernel@...r.kernel.org
Subject: [PATCH v2 11/11] ext4: access to uninitialized bh fields in
ext4_xattr_set_handle()
On-stack initialization does not guarantee zeroying of unintialized
fields. So is.iloc.bh and bs.bh can be contain garbage of old stack
conent.
Errors in the beginning of ext4_xattr_set_handle() function
lead to jump to "cleanup:" label where brelse(is.iloc.bh)
and brelse(bs.bh) can access uninitialized bh fields of
on-stack located "is" and "bs" structures.
Issue was inherited from ext3 and was present in first ext4 commit.
Fixes ac27a0ec112a ("ext4: initial copy of files from ext3") # 2.6.19
Signed-off-by: Vasily Averin <vvs@...tuozzo.com>
---
fs/ext4/xattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index dc1aeab06dba..aae12425597e 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2303,9 +2303,11 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
};
struct ext4_xattr_ibody_find is = {
.s = { .not_found = -ENODATA, },
+ .iloc = { .bh = NULL, },
};
struct ext4_xattr_block_find bs = {
.s = { .not_found = -ENODATA, },
+ .bh = NULL,
};
int no_expand;
int error;
--
2.17.1
Powered by blists - more mailing lists