From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Gertjan Halkes <gertjan@google.com>,
Dominique Martinet <dominique.martinet@cea.fr>,
Sasha Levin <sashal@kernel.org>,
v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 3.18 02/10] 9p: do not trust pdu content for stat item size
Date: Fri, 29 Mar 2019 21:32:19 -0400 [thread overview]
Message-ID: <20190330013227.1365-2-sashal@kernel.org> (raw)
In-Reply-To: <20190330013227.1365-1-sashal@kernel.org>
From: Gertjan Halkes <gertjan@google.com>
[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]
v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2
Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes <gertjan@google.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/9p/vfs_dir.c | 8 +++-----
net/9p/protocol.c | 3 ++-
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index cfe4cf6486af..fa7d1c3536e6 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -104,7 +104,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
- int reclen = 0;
struct p9_rdir *rdir;
p9_debug(P9_DEBUG_VFS, "name %pD\n", file);
@@ -129,11 +128,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
rdir->tail - rdir->head, &st);
- if (err) {
+ if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
- reclen = st.size+2;
over = !dir_emit(ctx, st.name, strlen(st.name),
v9fs_qid2ino(&st.qid), dt_type(&st));
@@ -141,8 +139,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
if (over)
return 0;
- rdir->head += reclen;
- ctx->pos += reclen;
+ rdir->head += err;
+ ctx->pos += err;
}
}
}
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index bceb6999614f..66613837b287 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -578,9 +578,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, &fake_pdu);
+ return ret;
}
- return ret;
+ return fake_pdu.offset;
}
EXPORT_SYMBOL(p9stat_read);
--
2.19.1
next prev parent reply other threads:[~2019-03-30 1:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 1:32 [PATCH AUTOSEL 3.18 01/10] rsi: improve kernel thread handling to fix kernel panic Sasha Levin
2019-03-30 1:32 ` Sasha Levin [this message]
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 03/10] 9p locks: add mount option for lock retry interval Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 04/10] serial: uartps: console_setup() can't be placed to init section Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 05/10] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 06/10] ACPI / SBS: Fix GPE storm on recent MacBookPro's Sasha Levin
[not found] ` <20190330013227.1365-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 07/10] iommu/dmar: Fix buffer overflow during PCI bus notification Sasha Levin
2019-03-30 1:32 ` Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 08/10] appletalk: Fix use-after-free in atalk_proc_exit Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 09/10] lib/div64.c: off by one in shift Sasha Levin
2019-03-30 1:32 ` [PATCH AUTOSEL 3.18 10/10] include/linux/swap.h: use offsetof() instead of custom __swapoffset macro Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330013227.1365-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dominique.martinet@cea.fr \
--cc=gertjan@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=v9fs-developer@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.