From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91141C282C3 for ; Tue, 22 Jan 2019 06:51:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 695E120861 for ; Tue, 22 Jan 2019 06:51:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727146AbfAVGvl (ORCPT ); Tue, 22 Jan 2019 01:51:41 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41424 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726853AbfAVGvl (ORCPT ); Tue, 22 Jan 2019 01:51:41 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0M6jq4Z048328 for ; Tue, 22 Jan 2019 01:51:40 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 2q5x58r90q-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 22 Jan 2019 01:51:40 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 22 Jan 2019 06:51:39 -0000 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 22 Jan 2019 06:51:35 -0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x0M6pYHV29360238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 22 Jan 2019 06:51:35 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E66ED78060; Tue, 22 Jan 2019 06:51:34 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4CA1B7805C; Tue, 22 Jan 2019 06:51:33 +0000 (GMT) Received: from localhost.in.ibm.com (unknown [9.124.35.121]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 22 Jan 2019 06:51:32 +0000 (GMT) From: Chandan Rajendra To: linux-fsdevel@vger.kernel.org Cc: Chandan Rajendra , viro@zeniv.linux.org.uk, joe@perches.com, miklos@szeredi.hu Subject: [PATCH] copy_mount_string: Limit string length to PATH_MAX Date: Tue, 22 Jan 2019 12:21:52 +0530 X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19012206-0012-0000-0000-000016FE4C00 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010452; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000275; SDB=6.01150016; UDB=6.00599274; IPR=6.00930347; MB=3.00025234; MTD=3.00000008; XFM=3.00000015; UTC=2019-01-22 06:51:37 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19012206-0013-0000-0000-000055E9F836 Message-Id: <20190122065152.19173-1-chandan@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-22_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901220056 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On ppc64le, When a string with PAGE_SIZE - 1 (i.e. 64k-1) length is passed as a "filesystem type" argument to the mount(2) syscall, copy_mount_string() ends up allocating 64k (the PAGE_SIZE on ppc64le) worth of space for holding the string in kernel's address space. Later, in set_precision() (invoked by get_fs_type() -> __request_module() -> vsnprintf()), we end up assigning strlen(fs-type-string) i.e. 65535 as the value to 'struct printf_spec'->precision member. This field has a width of 16 bits and it is a signed data type. Hence an invalid value ends up getting assigned. This causes the "WARN_ONCE(spec->precision != prec, "precision %d too large", prec)" statement inside set_precision() to be executed. This commit fixes the bug by limiting the length of the string passed by copy_mount_string() to strndup_user() to PATH_MAX. Signed-off-by: Chandan Rajendra Reported-by: Abdul Haleem Suggested-by: Al Viro --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 09d2aec0f88c..103513f07483 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2831,7 +2831,7 @@ void *copy_mount_options(const void __user * data) char *copy_mount_string(const void __user *data) { - return data ? strndup_user(data, PAGE_SIZE) : NULL; + return data ? strndup_user(data, PATH_MAX) : NULL; } /* -- 2.19.1