lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 18 Jun 2018 11:38:11 +0300
From:   Nikolay Borisov <nborisov@...e.com>
To:     shaggy@...nel.org
Cc:     jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        shankarapailoor@...il.com, Nikolay Borisov <nborisov@...e.com>
Subject: [PATCH] jfs: Fix buffer overrun in ea_get

Currently ea_buf->xattr buffer is allocated with min(min_size, ea_size).
This is wrong since after the xattr buffer is allocated the ->max_size
variable is actually rounded up to th next ->s_blocksize size. Fix this
by using the rounded up max_size as input to the malloc.

Suggested-by: Shankara Pailoor <shankarapailoor@...il.com>
Reported-by: Shankara Pailoor <shankarapailoor@...il.com>
CC: shankarapailoor@...il.com
Signed-off-by: Nikolay Borisov <nborisov@...e.com>
---
Hello David, 

I'm sending you the patch for the issue which was originally reported and 
suggested by Shankar.  I won't usually got and override the original 
author of a patch but given the clear lack of experience with upstream (missing 
SOB line, no changelog explaining the change etc) and the 
fact there is already a CVE for this issue (using syzkaller for quick CVE 
generation seems to be all the rage these days, go figure...) I'd rather have 
an upstream, backportable version sooner rather than later. 

 fs/jfs/xattr.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index c60f3d32ee91..96b9355ff69a 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -493,14 +493,14 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
 		 * To keep the rest of the code simple.  Allocate a
 		 * contiguous buffer to work with
 		 */
-		ea_buf->xattr = kmalloc(size, GFP_KERNEL);
-		if (ea_buf->xattr == NULL)
-			return -ENOMEM;
-
 		ea_buf->flag = EA_MALLOC;
 		ea_buf->max_size = (size + sb->s_blocksize - 1) &
 		    ~(sb->s_blocksize - 1);
 
+		ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
+		if (ea_buf->xattr == NULL)
+			return -ENOMEM;
+
 		if (ea_size == 0)
 			return 0;
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ