lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAKFNMon3DWhBxMor7UNqTcrTdms6nUQF+=uWDeEc0wWerH4sOQ@mail.gmail.com>
Date: Tue, 16 Apr 2024 01:44:59 +0900
From: Ryusuke Konishi <konishi.ryusuke@...il.com>
To: Jeongjun Park <aha310510@...il.com>
Cc: linux-nilfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzbot+2e22057de05b9f3b30d8@...kaller.appspotmail.com
Subject: Re: [PATCH] nilfs: Fix OOB in nilfs_set_de_type

On Tue, Apr 16, 2024 at 12:40 AM Jeongjun Park  wrote:
>
>
> static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode)
> {
>         umode_t mode = inode->i_mode;
>
>         de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
> }
>
>
>
> The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined
> as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function, which uses this array,
> specifies the index to read from the array in the same way as "(mode & S_IFMT) >> S_SHIFT".
>
> However, when the index is determined this way, an out-of-bounds (OOB) error occurs by referring
> to an index that is 1 larger than the array size when the condition "mode & S_IFMT == S_IFMT" is satisfied.
> Therefore, a patch to resize the nilfs_type_by_mode array should be applied to prevent OOB errors.
>
>
>
> Reported-and-tested-by: syzbot+2e22057de05b9f3b30d8@...kaller.appspotmailcom
> Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
> Signed-off-by: Jeongjun Park <aha310510@...il.com>
> ---
>  fs/nilfs2/dir.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
> index bc846b904b68..aee40db7a036 100644
> --- a/fs/nilfs2/dir.c
> +++ b/fs/nilfs2/dir.c
> @@ -240,7 +240,7 @@ nilfs_filetype_table[NILFS_FT_MAX] = {
>
>  #define S_SHIFT 12
>  static unsigned char
> -nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
> +nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = {
>         [S_IFREG >> S_SHIFT]    = NILFS_FT_REG_FILE,
>         [S_IFDIR >> S_SHIFT]    = NILFS_FT_DIR,
>         [S_IFCHR >> S_SHIFT]    = NILFS_FT_CHRDEV,

Thank you for your prompt response and posting the patch.

A little formatting and tag editing is required, but it's okay.
I'll handle this patch.

Thanks,
Ryusuke Konishi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ