| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Dec 2023 12:59:22 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+33f23b49ac24f986c9e8@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [btrfs?] KASAN: slab-out-of-bounds Read in getname_kernel (2)
please test slab-out-of-bounds Read in getname_kernel
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd7d7488169
diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
index f9544fda38e9..b7e8392d34dc 100644
--- a/fs/btrfs/dev-replace.c
+++ b/fs/btrfs/dev-replace.c
@@ -741,7 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info,
}
if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') ||
- args->start.tgtdev_name[0] == '\0')
+ args->start.tgtdev_name[0] == '\0' ||
+ !args->start.tgtdev_name[0])
return -EINVAL;
ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name,
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 4e50b62db2a8..43a508cea759 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3272,7 +3272,7 @@ static long btrfs_ioctl_get_dev_stats(struct btrfs_fs_info *fs_info,
static long btrfs_ioctl_dev_replace(struct btrfs_fs_info *fs_info,
void __user *arg)
{
- struct btrfs_ioctl_dev_replace_args *p;
+ struct btrfs_ioctl_dev_replace_args p = {};
int ret;
if (!capable(CAP_SYS_ADMIN))
@@ -3283,11 +3283,10 @@ static long btrfs_ioctl_dev_replace(struct btrfs_fs_info *fs_info,
return -EINVAL;
}
- p = memdup_user(arg, sizeof(*p));
- if (IS_ERR(p))
- return PTR_ERR(p);
+ if (copy_from_user(&p, arg, sizeof(p)))
+ return -EINVAL;
- switch (p->cmd) {
+ switch (p.cmd) {
case BTRFS_IOCTL_DEV_REPLACE_CMD_START:
if (sb_rdonly(fs_info->sb)) {
ret = -EROFS;
@@ -3296,16 +3295,16 @@ static long btrfs_ioctl_dev_replace(struct btrfs_fs_info *fs_info,
if (!btrfs_exclop_start(fs_info, BTRFS_EXCLOP_DEV_REPLACE)) {
ret = BTRFS_ERROR_DEV_EXCL_RUN_IN_PROGRESS;
} else {
- ret = btrfs_dev_replace_by_ioctl(fs_info, p);
+ ret = btrfs_dev_replace_by_ioctl(fs_info, &p);
btrfs_exclop_finish(fs_info);
}
break;
case BTRFS_IOCTL_DEV_REPLACE_CMD_STATUS:
- btrfs_dev_replace_status(fs_info, p);
+ btrfs_dev_replace_status(fs_info, &p);
ret = 0;
break;
case BTRFS_IOCTL_DEV_REPLACE_CMD_CANCEL:
- p->result = btrfs_dev_replace_cancel(fs_info);
+ p.result = btrfs_dev_replace_cancel(fs_info);
ret = 0;
break;
default:
@@ -3313,10 +3312,9 @@ static long btrfs_ioctl_dev_replace(struct btrfs_fs_info *fs_info,
break;
}
- if ((ret == 0 || ret == -ECANCELED) && copy_to_user(arg, p, sizeof(*p)))
+ if ((ret == 0 || ret == -ECANCELED) && copy_to_user(arg, &p, sizeof(p)))
ret = -EFAULT;
out:
- kfree(p);
return ret;
}
Powered by blists - more mailing lists