| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Apr 2024 22:29:17 +0100
From: Matthew Wilcox <willy@...radead.org>
To: Kees Cook <keescook@...omium.org>
Cc: Jan Kara <jack@...e.cz>, Chuck Lever <chuck.lever@...cle.com>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Jeff Layton <jlayton@...nel.org>,
Amir Goldstein <amir73il@...il.com>, linux-fsdevel@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-hardening@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fs: Set file_handle::handle_bytes before referencing
file_handle::f_handle
On Thu, Apr 04, 2024 at 02:12:15PM -0700, Kees Cook wrote:
> Since __counted_by(handle_bytes) was added to struct file_handle, we need
> to explicitly set it in the one place it wasn't yet happening prior to
> accessing the flex array "f_handle". For robustness also check for a
> negative value for handle_bytes, which is possible for an "int", but
> nothing appears to set.
Why not change handle_bytes from an int to a u32?
Also, what a grotty function.
handle_dwords = f_handle.handle_bytes >> 2;
...
handle_bytes = handle_dwords * sizeof(u32);
> Fixes: 1b43c4629756 ("fs: Annotate struct file_handle with __counted_by() and use struct_size()")
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> Cc: Jan Kara <jack@...e.cz>
> Cc: Chuck Lever <chuck.lever@...cle.com>
> Cc: Gustavo A. R. Silva <gustavoars@...nel.org>
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Jeff Layton <jlayton@...nel.org>
> Cc: Amir Goldstein <amir73il@...il.com>
> Cc: linux-fsdevel@...r.kernel.org
> Cc: linux-nfs@...r.kernel.org
> Cc: linux-hardening@...r.kernel.org
> v2: more bounds checking, add comments, dropped reviews since logic changed
> v1: https://lore.kernel.org/all/20240403215358.work.365-kees@kernel.org/
> ---
> fs/fhandle.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fhandle.c b/fs/fhandle.c
> index 8a7f86c2139a..854f866eaad2 100644
> --- a/fs/fhandle.c
> +++ b/fs/fhandle.c
> @@ -40,6 +40,11 @@ static long do_sys_name_to_handle(const struct path *path,
> GFP_KERNEL);
> if (!handle)
> return -ENOMEM;
> + /*
> + * Since handle->f_handle is about to be written, make sure the
> + * associated __counted_by(handle_bytes) variable is correct.
> + */
> + handle->handle_bytes = f_handle.handle_bytes;
>
> /* convert handle size to multiple of sizeof(u32) */
> handle_dwords = f_handle.handle_bytes >> 2;
> @@ -51,8 +56,8 @@ static long do_sys_name_to_handle(const struct path *path,
> handle->handle_type = retval;
> /* convert handle size to bytes */
> handle_bytes = handle_dwords * sizeof(u32);
> - handle->handle_bytes = handle_bytes;
> - if ((handle->handle_bytes > f_handle.handle_bytes) ||
> + /* check if handle_bytes would have exceeded the allocation */
> + if ((handle_bytes < 0) || (handle_bytes > f_handle.handle_bytes) ||
> (retval == FILEID_INVALID) || (retval < 0)) {
> /* As per old exportfs_encode_fh documentation
> * we could return ENOSPC to indicate overflow
> @@ -68,6 +73,8 @@ static long do_sys_name_to_handle(const struct path *path,
> handle_bytes = 0;
> } else
> retval = 0;
> + /* the "valid" number of bytes may fewer than originally allocated */
> + handle->handle_bytes = handle_bytes;
> /* copy the mount id */
> if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
> copy_to_user(ufh, handle,
> --
> 2.34.1
>
>
Powered by blists - more mailing lists