| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Jan 2024 15:14:12 +0800 From: Fullway Wang <fullwaywang@...look.com> To: jannh@...gle.com, akpm@...ux-foundation.org Cc: dhowells@...hat.com, linux-kernel@...r.kernel.org, fullwaywang@...cent.com, Fullway Wang <fullwaywang@...look.com> Subject: [PATCH] fs: romfs: Fix potential uninitialized memory leak romfs_dev_read() fetches a caller-supplied number of bytes from the backing device in an all-or-nothing manner. Commit bcf85fc fixed CVE-2020-29371, which exposed the bug when the requested length crossed the filesystem size limit, the number of bytes to requested was truncated. However, in romfs_readdir() in super.c, the requested number is firstly truncated with romfs_dev_strnlen() then passed to romfs_dev_read(), leaving the bug exploitable still. Fix this by returning an error code instead of changing the length in romfs_dev_strnlen() when the read might go beyond the end of the filesystem. Signed-off-by: Fullway Wang <fullwaywang@...look.com> --- fs/romfs/storage.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c index b57b3ffcbc32..e0e4ecca4e65 100644 --- a/fs/romfs/storage.c +++ b/fs/romfs/storage.c @@ -240,10 +240,8 @@ ssize_t romfs_dev_strnlen(struct super_block *sb, size_t limit; limit = romfs_maxsize(sb); - if (pos >= limit) + if (pos >= limit || buflen > limit - pos) return -EIO; - if (maxlen > limit - pos) - maxlen = limit - pos; #ifdef CONFIG_ROMFS_ON_MTD if (sb->s_mtd) -- 2.39.3 (Apple Git-145)
Powered by blists - more mailing lists