| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200609202821.GB1105@sol.localdomain>
Date: Tue, 9 Jun 2020 13:28:21 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Theodore Ts'o <tytso@....edu>
Cc: Daniel Rosenberg <drosen@...gle.com>, stable@...r.kernel.org,
linux-ext4@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net,
Al Viro <viro@...iv.linux.org.uk>,
linux-fsdevel@...r.kernel.org,
Gabriel Krisman Bertazi <krisman@...labora.co.uk>
Subject: Re: [PATCH v2] ext4: avoid utf8_strncasecmp() with unstable name
On Mon, Jun 01, 2020 at 01:05:43PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
>
> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then
> it may be concurrently modified by a rename. This can cause undefined
> behavior (possibly out-of-bounds memory accesses or crashes) in
> utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings
> that may be concurrently modified.
>
> Fix this by first copying the filename to a stack buffer if needed.
> This way we get a stable snapshot of the filename.
>
> Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
> Cc: <stable@...r.kernel.org> # v5.2+
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Daniel Rosenberg <drosen@...gle.com>
> Cc: Gabriel Krisman Bertazi <krisman@...labora.co.uk>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
>
> v2: use memcpy() + barrier() instead of a byte-by-byte copy.
>
> fs/ext4/dir.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
Ted, could you take this through the ext4 tree as a fix for 5.8?
The f2fs patch has been merged already.
- Eric
Powered by blists - more mailing lists