| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180722110519.23917-1-tomasbortoli@gmail.com>
Date: Sun, 22 Jul 2018 13:05:19 +0200
From: Tomas Bortoli <tomasbortoli@...il.com>
To: dhowells@...hat.com
Cc: linux-cachefs@...hat.com, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com, Tomas Bortoli <tomasbortoli@...il.com>
Subject: [PATCH] fscache: fscache_set_key() - align alloc and usage
The fscache_set_key() function allocates the buf pointer if index_key_len > sizeof(cookie->inline_key).
In such cases the allocated space might not be aligned with the pointer type.
This may result in an out-of-bound in the for-loop later in the same function, as the counter is rounded up.
Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com>
Reported-by: syzbot+a95b989b2dde8e806af8@...kaller.appspotmail.com
---
fs/fscache/cookie.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
index 97137d7ec5ee..ed28bfb6a0fe 100644
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -98,7 +98,7 @@ static int fscache_set_key(struct fscache_cookie *cookie,
cookie->key_len = index_key_len;
if (index_key_len > sizeof(cookie->inline_key)) {
- buf = kzalloc(index_key_len, GFP_KERNEL);
+ buf = kzalloc(round_up(index_key_len, sizeof(u32)), GFP_KERNEL);
if (!buf)
return -ENOMEM;
cookie->key = buf;
--
2.11.0
Powered by blists - more mailing lists