| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK+_RLmVyVzL3G6++xOxfyEqEHL=bfZZx_Yj-TFNf5a7_oUoXw@mail.gmail.com>
Date: Thu, 29 Nov 2018 15:23:00 +0000
From: Tigran Aivazian <aivazian.tigran@...il.com>
To: gregkh@...uxfoundation.org
Cc: LKML <linux-kernel@...r.kernel.org>, stable@...r.kernel.org,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
syzbot <syzbot+71c6b5d68e91149fc8a4@...kaller.appspotmail.com>,
Andrew Morton <akpm@...ux-foundation.org>, willy@...radead.org,
torvalds@...ux-foundation.org
Subject: Re: [PATCH 4.19 033/110] bfs: add sanity check at bfs_fill_super()
Hello,
Yes, of course I object to it. I ignored this version of the patch
being applied to the older Linux versions, but for the latest versions
surely the version that I have authored should be applied instead. I
have sent to Andrew Morton both the 4.20-rc1 and 4.19.2 versions of
the patch. The 4.20 was applied (as "linux-next", I don't know why it
is not in 4.20-rc4 yet), but 4.19.2 version was not applied yet, so
here it is attached again (with the proper changelog etc). It applies
to 4.19.5 cleanly as well, so please use this version (attached).
Kind regards,
Tigran
On Thu, 29 Nov 2018 at 14:29, Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
>
> 4.19-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
>
> commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
>
> syzbot is reporting too large memory allocation at bfs_fill_super() [1].
> Since file system image is corrupted such that bfs_sb->s_start == 0,
> bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix
> this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and
> printf().
>
> [1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96
>
> Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@...kaller.appspotmail.com>
> Reviewed-by: Andrew Morton <akpm@...ux-foundation.org>
> Cc: Tigran Aivazian <aivazian.tigran@...il.com>
> Cc: Matthew Wilcox <willy@...radead.org>
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>
> ---
> fs/bfs/inode.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> --- a/fs/bfs/inode.c
> +++ b/fs/bfs/inode.c
> @@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b
>
> s->s_magic = BFS_MAGIC;
>
> - if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
> + if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
> + le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
> printf("Superblock is corrupted\n");
> goto out1;
> }
> @@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b
> sizeof(struct bfs_inode)
> + BFS_ROOT_INO - 1;
> imap_len = (info->si_lasti / 8) + 1;
> - info->si_imap = kzalloc(imap_len, GFP_KERNEL);
> - if (!info->si_imap)
> + info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
> + if (!info->si_imap) {
> + printf("Cannot allocate %u bytes\n", imap_len);
> goto out1;
> + }
> for (i = 0; i < BFS_ROOT_INO; i++)
> set_bit(i, info->si_imap);
>
>
>
View attachment "bfs-4.19.2.patch" of type "text/x-patch" (9056 bytes)
Powered by blists - more mailing lists