[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200616153111.834564988@linuxfoundation.org>
Date: Tue, 16 Jun 2020 17:35:05 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Amir Goldstein <amir73il@...il.com>,
Miklos Szeredi <mszeredi@...hat.com>,
syzbot+61958888b1c60361a791@...kaller.appspotmail.com
Subject: [PATCH 5.6 115/161] ovl: fix out of bounds access warning in ovl_check_fb_len()
From: Amir Goldstein <amir73il@...il.com>
commit 522f6e6cba6880a038e2bd88e10390b84cd3febd upstream.
syzbot reported out of bounds memory access from open_by_handle_at()
with a crafted file handle that looks like this:
{ .handle_bytes = 2, .handle_type = OVL_FILEID_V1 }
handle_bytes gets rounded down to 0 and we end up calling:
ovl_check_fh_len(fh, 0) => ovl_check_fb_len(fh + 3, -3)
But fh buffer is only 2 bytes long, so accessing struct ovl_fb at
fh + 3 is illegal.
Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory")
Reported-and-tested-by: syzbot+61958888b1c60361a791@...kaller.appspotmail.com
Cc: <stable@...r.kernel.org> # v5.5
Signed-off-by: Amir Goldstein <amir73il@...il.com>
Signed-off-by: Miklos Szeredi <mszeredi@...hat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
fs/overlayfs/overlayfs.h | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -339,6 +339,9 @@ int ovl_check_fb_len(struct ovl_fb *fb,
static inline int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
{
+ if (fh_len < sizeof(struct ovl_fh))
+ return -EINVAL;
+
return ovl_check_fb_len(&fh->fb, fh_len - OVL_FH_WIRE_OFFSET);
}
Powered by blists - more mailing lists