From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Jeff Mahoney <jeffm@suse.com>, Eric Biggers <ebiggers@google.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 79/79] reiserfs: fix broken xattr handling (heap corruption, bad retval)
Date: Thu, 23 Aug 2018 09:53:55 +0200 [thread overview]
Message-ID: <20180823074924.369245762@linuxfoundation.org> (raw)
In-Reply-To: <20180823074918.641878835@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
This fixes the following issues:
- When a buffer size is supplied to reiserfs_listxattr() such that each
individual name fits, but the concatenation of all names doesn't fit,
reiserfs_listxattr() overflows the supplied buffer. This leads to a
kernel heap overflow (verified using KASAN) followed by an out-of-bounds
usercopy and is therefore a security bug.
- When a buffer size is supplied to reiserfs_listxattr() such that a
name doesn't fit, -ERANGE should be returned. But reiserfs instead just
truncates the list of names; I have verified that if the only xattr on a
file has a longer name than the supplied buffer length, listxattr()
incorrectly returns zero.
With my patch applied, -ERANGE is returned in both cases and the memory
corruption doesn't happen anymore.
Credit for making me clean this code up a bit goes to Al Viro, who pointed
out that the ->actor calling convention is suboptimal and should be
changed.
Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -791,8 +791,10 @@ static int listxattr_filler(struct dir_c
size = handler->list(handler, b->dentry,
b->buf + b->pos, b->size, name,
namelen);
- if (size > b->size)
+ if (b->pos + size > b->size) {
+ b->pos = -ERANGE;
return -ERANGE;
+ }
} else {
size = handler->list(handler, b->dentry,
NULL, 0, name, namelen);
next prev parent reply other threads:[~2018-08-23 8:04 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 7:52 [PATCH 4.4 00/79] 4.4.152-stable review Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 01/79] ARC: Explicitly add -mmedium-calls to CFLAGS Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 02/79] netfilter: ipv6: nf_defrag: reduce struct net memory waste Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 03/79] selftests: pstore: return Kselftest Skip code for skipped tests Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 04/79] selftests: static_keys: " Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 05/79] selftests: user: " Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 06/79] selftests: zram: " Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 07/79] selftests: sync: add config fragment for testing sync framework Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 08/79] ARM: dts: Cygnus: Fix I2C controller interrupt type Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 09/79] usb: dwc2: fix isoc split in transfer with no data Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 10/79] usb: gadget: composite: fix delayed_status race condition when set_interface Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 11/79] usb: gadget: dwc2: fix memory leak in gadget_init() Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 12/79] scsi: xen-scsifront: add error handling for xenbus_printf Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 13/79] arm64: make secondary_start_kernel() notrace Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 14/79] qed: Add sanity check for SIMD fastpath handler Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 15/79] enic: initialize enic->rfs_h.lock in enic_probe Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 16/79] net: hamradio: use eth_broadcast_addr Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 17/79] net: propagate dev_get_valid_name return code Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 18/79] ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 19/79] net: davinci_emac: match the mdio device against its compatible if possible Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 20/79] locking/lockdep: Do not record IRQ state within lockdep code Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 21/79] ipv6: mcast: fix unsolicited report interval after receiving querys Greg Kroah-Hartman
2018-08-23 7:52 ` [PATCH 4.4 22/79] Smack: Mark inode instant in smack_task_to_inode Greg Kroah-Hartman
2018-09-11 18:14 ` Ben Hutchings
2018-09-11 18:53 ` Casey Schaufler
2018-08-23 7:52 ` [PATCH 4.4 23/79] cxgb4: when disabling dcb set txq dcb priority to 0 Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 24/79] brcmfmac: stop watchdog before detach and free everything Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 25/79] ARM: dts: am437x: make edt-ft5x06 a wakeup source Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 26/79] usb: xhci: increase CRS timeout value Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 27/79] perf test session topology: Fix test on s390 Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 28/79] perf report powerpc: Fix crash if callchain is empty Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 29/79] perf tests: Add event parsing error handling to parse events test Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 30/79] selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 31/79] ARM: dts: da850: Fix interrups property for gpio Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 32/79] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 33/79] md/raid10: fix that replacement cannot complete recovery after reassemble Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 34/79] drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 35/79] drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 36/79] drm/exynos: decon5433: Fix WINCONx reset value Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 37/79] bnx2x: Fix receiving tx-timeout in error or recovery state Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 39/79] HID: wacom: Correct touch maximum XY of 2nd-gen Intuos Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 40/79] ARM: imx_v6_v7_defconfig: Select ULPI support Greg Kroah-Hartman
2018-09-11 19:26 ` Ben Hutchings
[not found] ` <AM6PR04MB51581BE201C12160B7A7CC5AE31B0@AM6PR04MB5158.eurprd04.prod.outlook.com>
2018-09-12 13:51 ` Fw: " Fabio Estevam
2018-08-23 7:53 ` [PATCH 4.4 41/79] ARM: imx_v4_v5_defconfig: " Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 43/79] kasan: fix shadow_size calculation error in kasan_module_alloc Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 44/79] smsc75xx: Add workaround for gigabit link up hardware errata Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 45/79] netfilter: x_tables: set module owner for icmp(6) matches Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 46/79] ARM: pxa: irq: fix handling of ICMR registers in suspend/resume Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 47/79] ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem Greg Kroah-Hartman
2018-09-11 20:02 ` Ben Hutchings
2018-08-23 7:53 ` [PATCH 4.4 48/79] ieee802154: at86rf230: use __func__ macro for debug messages Greg Kroah-Hartman
2018-09-11 20:06 ` Ben Hutchings
2018-09-13 7:06 ` Greg Kroah-Hartman
2018-09-13 7:06 ` Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 49/79] ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 50/79] drm/armada: fix colorkey mode property Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 51/79] bnxt_en: Fix for system hang if request_irq fails Greg Kroah-Hartman
2018-09-11 20:14 ` Ben Hutchings
2018-09-11 20:58 ` Michael Chan
2018-09-11 21:05 ` Ben Hutchings
2018-08-23 7:53 ` [PATCH 4.4 52/79] perf llvm-utils: Remove bashism from kernel include fetch script Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 53/79] ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 54/79] ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 55/79] ixgbe: Be more careful when modifying MAC filters Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 56/79] packet: reset network header if packet shorter than ll reserved space Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 57/79] qlogic: check kstrtoul() for errors Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 58/79] tcp: remove DELAYED ACK events in DCTCP Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 59/79] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 60/79] net/ethernet/freescale/fman: fix cross-build error Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 61/79] net: usb: rtl8150: demote allmulti message to dev_dbg() Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 62/79] net: qca_spi: Avoid packet drop during initial sync Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 63/79] net: qca_spi: Make sure the QCA7000 reset is triggered Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 64/79] net: qca_spi: Fix log level if probe fails Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 66/79] staging: android: ion: check for kref overflow Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 67/79] KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 68/79] ext4: fix spectre gadget in ext4_mb_regular_allocator() Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 70/79] xfrm_user: prevent leaking 2 bytes of kernel memory Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 71/79] netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 72/79] packet: refine ring v3 block size test to hold one frame Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 75/79] PCI: hotplug: Dont leak pci_slot on registration failure Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 76/79] PCI: Skip MPS logic for Virtual Functions (VFs) Greg Kroah-Hartman
2018-08-23 7:53 ` [PATCH 4.4 77/79] PCI: pciehp: Fix use-after-free on unplug Greg Kroah-Hartman
2018-08-23 7:53 ` Greg Kroah-Hartman [this message]
2018-08-23 16:30 ` [PATCH 4.4 00/79] 4.4.152-stable review Guenter Roeck
2018-08-23 16:56 ` Greg Kroah-Hartman
2018-08-23 17:21 ` Guenter Roeck
2018-08-23 20:52 ` Greg Kroah-Hartman
2018-08-23 19:19 ` Shuah Khan
2018-08-23 20:10 ` Guenter Roeck
2018-08-24 5:58 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180823074924.369245762@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=ebiggers@google.com \
--cc=jannh@google.com \
--cc=jeffm@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.