From: Sasha Levin <sashal@kernel.org>
To: Richard Weinberger <richard@nod.at>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
Sasha Levin <alexander.levin@microsoft.com>
Subject: Re: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting
Date: Wed, 10 Oct 2018 11:00:07 -0400 [thread overview]
Message-ID: <20181010150007.GH32006@sasha-vm> (raw)
In-Reply-To: <4196827.3PtsAkI51k@blindfold>
On Fri, Oct 05, 2018 at 06:24:42PM +0200, Richard Weinberger wrote:
>Sasha,
>
>Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:
>> From: Richard Weinberger <richard@nod.at>
>>
>> [ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]
>>
>> The requested device name can be NULL or an empty string.
>> Check for that and refuse to continue. UBIFS has to do this manually
>> since we cannot use mount_bdev(), which checks for this condition.
>>
>> Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
>> Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
>
>I'm not sure whether it makes sense to apply this patch to stable.
>1. You need to be the real root to hit this code path.
>2. Access is read-only, for an attacker it is useless.
>
>If we look at the code:
> if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i')
> return ERR_PTR(-EINVAL);
>
> /* ubi:NAME method */
> if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')
>
>name can be NULL, so we access just a few bytes.
>
>Thanks,
>//richard
Hi Richard,
I wasn't really looking at it from a security perspective. My thought
process was that if a user (root or not) is doing action A, expecting
result B but instead unexpectedly sees result C then it's a bug worth
fixing in stable.
If you think it's a risky change for stable I'd be happy to drop it.
--
Thanks,
Sasha
prev parent reply other threads:[~2018-10-10 15:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-05 16:17 [PATCH AUTOSEL 3.18 1/6] selftests/efivarfs: add required kernel configs Sasha Levin
2018-10-05 16:17 ` [PATCH AUTOSEL 3.18 2/6] mfd: omap-usb-host: Fix dts probe of children Sasha Levin
2018-10-05 16:17 ` [PATCH AUTOSEL 3.18 3/6] stmmac: fix valid numbers of unicast filter entries Sasha Levin
2018-10-05 16:17 ` [PATCH AUTOSEL 3.18 4/6] net: hp100: fix always-true check for link up state Sasha Levin
2018-10-05 16:17 ` [PATCH AUTOSEL 3.18 5/6] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl Sasha Levin
2018-10-05 16:17 ` [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting Sasha Levin
2018-10-05 16:24 ` Richard Weinberger
2018-10-10 15:00 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181010150007.GH32006@sasha-vm \
--to=sashal@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.