| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220326114009.1690-1-aissur0002@gmail.com>
Date: Sat, 26 Mar 2022 14:40:09 +0300
From: Fedor Pchelkin <aissur0002@...il.com>
To: Alexander Viro <viro@...iv.linux.org.uk>
Cc: Fedor Pchelkin <aissur0002@...il.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: [PATCH 4/4] file: Fix file descriptor leak in copy_fd_bitmaps()
If count argument in copy_fd_bitmaps() is not a multiple of
BITS_PER_BYTE, then one byte is lost and is not used in further
manipulations with cpy value in memcpy() and memset()
causing a leak. The leak was introduced with close_range() call
using CLOSE_RANGE_UNSHARE flag.
The patch suggests implementing an indicator (named add_byte)
of count being multiple of BITS_PER_BYTE and adding it to the
cpy value.
Found by Syzkaller (https://github.com/google/syzkaller).
Signed-off-by: Fedor Pchelkin <aissur0002@...il.com>
Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
---
fs/file.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/file.c b/fs/file.c
index 3ef1479df203..3c64a6423604 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -56,10 +56,8 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
{
unsigned int cpy, set;
unsigned int add_byte = 0;
-
if (count % BITS_PER_BYTE != 0)
add_byte = 1;
-
cpy = count / BITS_PER_BYTE + add_byte;
set = (nfdt->max_fds - count) / BITS_PER_BYTE;
memcpy(nfdt->open_fds, ofdt->open_fds, cpy);
--
2.25.1
Powered by blists - more mailing lists