lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Nov 2023 19:53:53 +1000
From: Ronald Monthero <debug.penguin32@...il.com>
To: al@...rsen.net
Cc: keescook@...omium.org,
	gustavoars@...nel.org,
	Ronald Monthero <debug.penguin32@...il.com>,
	linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: [PATCH] qnx4: fix to avoid panic due to buffer overflow

qnx4 dir name length can vary to be of maximum size
QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether
'link info' entry is stored and the status byte is set.
So to avoid buffer overflow check di_fname length
fetched from (struct qnx4_inode_entry *)
before use in strlen to avoid buffer overflow.

panic context
[ 4849.636861] detected buffer overflow in strlen
[ 4849.636897] ------------[ cut here ]------------
[ 4849.636902] kernel BUG at lib/string.c:1165!
[ 4849.636917] invalid opcode: 0000 [#2] SMP PTI
..
[ 4849.637047] Call Trace:
[ 4849.637053]  <TASK>
[ 4849.637059]  ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637075]  ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637095]  ? qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637111]  ? show_regs.part.0+0x23/0x29
[ 4849.637123]  ? __die_body.cold+0x8/0xd
[ 4849.637135]  ? __die+0x2b/0x37
[ 4849.637147]  ? die+0x30/0x60
[ 4849.637161]  ? do_trap+0xbe/0x100
[ 4849.637171]  ? do_error_trap+0x6f/0xb0
[ 4849.637180]  ? fortify_panic+0x13/0x15
[ 4849.637192]  ? exc_invalid_op+0x53/0x70
[ 4849.637203]  ? fortify_panic+0x13/0x15
[ 4849.637215]  ? asm_exc_invalid_op+0x1b/0x20
[ 4849.637228]  ? fortify_panic+0x13/0x15
[ 4849.637240]  ? fortify_panic+0x13/0x15
[ 4849.637251]  qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637264]  qnx4_lookup+0x3c/0xa0 [qnx4]
[ 4849.637275]  __lookup_slow+0x85/0x150
[ 4849.637291]  walk_component+0x145/0x1c0
[ 4849.637304]  ? path_init+0x2c0/0x3f0
[ 4849.637316]  path_lookupat+0x6e/0x1c0
[ 4849.637330]  filename_lookup+0xcf/0x1d0
[ 4849.637341]  ? __check_object_size+0x1d/0x30
[ 4849.637354]  ? strncpy_from_user+0x44/0x150
[ 4849.637365]  ? getname_flags.part.0+0x4c/0x1b0
[ 4849.637375]  user_path_at_empty+0x3f/0x60
[ 4849.637383]  vfs_statx+0x7a/0x130
[ 4849.637393]  do_statx+0x45/0x80
..

Signed-off-by: Ronald Monthero <debug.penguin32@...il.com>
---
 fs/qnx4/namei.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
index 8d72221735d7..825b891a52b3 100644
--- a/fs/qnx4/namei.c
+++ b/fs/qnx4/namei.c
@@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name,
 	} else {
 		namelen = QNX4_SHORT_NAME_MAX;
 	}
+
+	/** qnx4 dir name length can vary, check the di_fname
+	 * fetched from (struct qnx4_inode_entry *) before use in
+	 * strlen to avoid panic due to buffer overflow"
+	 */
+	if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname))
+		return -ENAMETOOLONG;
 	thislen = strlen( de->di_fname );
 	if ( thislen > namelen )
 		thislen = namelen;
-- 
2.34.1


Powered by blists - more mailing lists