| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Nov 2023 23:30:02 +0900
From: Shigeru Yoshida <syoshida@...hat.com>
To: linkinjeon@...nel.org, sj1557.seo@...sung.com
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Shigeru Yoshida <syoshida@...hat.com>
Subject: [PATCH] exfat: Fix uninit-value access in __exfat_write_inode()
KMSAN reported the following uninit-value access issue:
=====================================================
BUG: KMSAN: uninit-value in exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
__exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
__exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
exfat_truncate+0x121/0x540 fs/exfat/file.c:211
exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
notify_change+0x1934/0x1a30 fs/attr.c:499
do_truncate+0x224/0x2a0 fs/open.c:66
handle_truncate fs/namei.c:3280 [inline]
do_open fs/namei.c:3626 [inline]
path_openat+0x56c6/0x5f20 fs/namei.c:3779
do_filp_open+0x21c/0x5a0 fs/namei.c:3809
do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_creat fs/open.c:1531 [inline]
__se_sys_creat fs/open.c:1525 [inline]
__x64_sys_creat+0xe3/0x140 fs/open.c:1525
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was stored to memory at:
exfat_set_entry_time+0x302/0x360 fs/exfat/misc.c:99
__exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
__exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
exfat_truncate+0x121/0x540 fs/exfat/file.c:211
exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
notify_change+0x1934/0x1a30 fs/attr.c:499
do_truncate+0x224/0x2a0 fs/open.c:66
handle_truncate fs/namei.c:3280 [inline]
do_open fs/namei.c:3626 [inline]
path_openat+0x56c6/0x5f20 fs/namei.c:3779
do_filp_open+0x21c/0x5a0 fs/namei.c:3809
do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_creat fs/open.c:1531 [inline]
__se_sys_creat fs/open.c:1525 [inline]
__x64_sys_creat+0xe3/0x140 fs/open.c:1525
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Local variable ts created at:
__exfat_write_inode+0x102/0xdb0 fs/exfat/inode.c:29
__exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
CPU: 0 PID: 13839 Comm: syz-executor.7 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================
Commit 4c72a36edd54 ("exfat: convert to new timestamp accessors") changed
__exfat_write_inode() to use new timestamp accessor functions.
As for mtime, inode_set_mtime_to_ts() is called after
exfat_set_entry_time(). This causes the above issue because `ts` is not
initialized when exfat_set_entry_time() is called. The same issue can occur
for atime.
This patch resolves this issue by calling inode_get_mtime() and
inode_get_atime() before exfat_set_entry_time() to initialize `ts`.
Fixes: 4c72a36edd54 ("exfat: convert to new timestamp accessors")
Signed-off-by: Shigeru Yoshida <syoshida@...hat.com>
---
fs/exfat/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c
index 875234179d1f..e7ff58b8e68c 100644
--- a/fs/exfat/inode.c
+++ b/fs/exfat/inode.c
@@ -56,18 +56,18 @@ int __exfat_write_inode(struct inode *inode, int sync)
&ep->dentry.file.create_time,
&ep->dentry.file.create_date,
&ep->dentry.file.create_time_cs);
+ ts = inode_get_mtime(inode);
exfat_set_entry_time(sbi, &ts,
&ep->dentry.file.modify_tz,
&ep->dentry.file.modify_time,
&ep->dentry.file.modify_date,
&ep->dentry.file.modify_time_cs);
- inode_set_mtime_to_ts(inode, ts);
+ ts = inode_get_atime(inode);
exfat_set_entry_time(sbi, &ts,
&ep->dentry.file.access_tz,
&ep->dentry.file.access_time,
&ep->dentry.file.access_date,
NULL);
- inode_set_atime_to_ts(inode, ts);
/* File size should be zero if there is no cluster allocated */
on_disk_size = i_size_read(inode);
--
2.41.0
Powered by blists - more mailing lists