[PATCH 3/9] xfs: don't overflow xattr listent buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Luis Chamberlain <mcgrof@kernel.org>
To: linux-xfs@vger.kernel.org, gregkh@linuxfoundation.org,
	Alexander.Levin@microsoft.com
Cc: stable@vger.kernel.org, amir73il@gmail.com, hch@infradead.org,
	zlang@redhat.com, "Darrick J. Wong" <darrick.wong@oracle.com>,
	Christoph Hellwig <hch@lst.de>,
	Luis Chamberlain <mcgrof@kernel.org>
Subject: [PATCH 3/9] xfs: don't overflow xattr listent buffer
Date: Thu, 18 Jul 2019 23:06:11 +0000	[thread overview]
Message-ID: <20190718230617.7439-4-mcgrof@kernel.org> (raw)
In-Reply-To: <20190718230617.7439-1-mcgrof@kernel.org>

From: "Darrick J. Wong" <darrick.wong@oracle.com>

commit 3b50086f0c0d78c144d9483fa292c1509c931b70 upstream.

For VFS listxattr calls, xfs_xattr_put_listent calls
__xfs_xattr_put_listent twice if it sees an attribute
"trusted.SGI_ACL_FILE": once for that name, and again for
"system.posix_acl_access".  Unfortunately, if we happen to run out of
buffer space while emitting the first name, we set count to -1 (so that
we can feed ERANGE to the caller).  The second invocation doesn't check that
the context parameters make sense and overwrites the byte before the
buffer, triggering a KASAN report:

==================================================================
BUG: KASAN: slab-out-of-bounds in strncpy+0xb3/0xd0
Write of size 1 at addr ffff88807fbd317f by task syz/1113

CPU: 3 PID: 1113 Comm: syz Not tainted 5.0.0-rc6-xfsx #rc6
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 dump_stack+0xcc/0x180
 print_address_description+0x6c/0x23c
 kasan_report.cold.3+0x1c/0x35
 strncpy+0xb3/0xd0
 __xfs_xattr_put_listent+0x1a9/0x2c0 [xfs]
 xfs_attr_list_int_ilocked+0x11af/0x1800 [xfs]
 xfs_attr_list_int+0x20c/0x2e0 [xfs]
 xfs_vn_listxattr+0x225/0x320 [xfs]
 listxattr+0x11f/0x1b0
 path_listxattr+0xbd/0x130
 do_syscall_64+0x139/0x560

While we're at it we add an assert to the other put_listent to avoid
this sort of thing ever happening to the attrlist_by_handle code.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Suggested-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 fs/xfs/xfs_attr_list.c | 1 +
 fs/xfs/xfs_xattr.c     | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/fs/xfs/xfs_attr_list.c b/fs/xfs/xfs_attr_list.c
index a58034049995..3d213a7394c5 100644
--- a/fs/xfs/xfs_attr_list.c
+++ b/fs/xfs/xfs_attr_list.c
@@ -555,6 +555,7 @@ xfs_attr_put_listent(
 	attrlist_ent_t *aep;
 	int arraytop;
 
+	ASSERT(!context->seen_enough);
 	ASSERT(!(context->flags & ATTR_KERNOVAL));
 	ASSERT(context->count >= 0);
 	ASSERT(context->count < (ATTR_MAX_VALUELEN/8));
diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
index 63ee1d5bf1d7..9a63016009a1 100644
--- a/fs/xfs/xfs_xattr.c
+++ b/fs/xfs/xfs_xattr.c
@@ -129,6 +129,9 @@ __xfs_xattr_put_listent(
 	char *offset;
 	int arraytop;
 
+	if (context->count < 0 || context->seen_enough)
+		return;
+
 	if (!context->alist)
 		goto compute_size;
 
-- 
2.20.1

next prev parent reply	other threads:[~2019-07-18 23:06 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-18 23:06 [PATCH 0/9] xfs: stable fixes for v4.19.y - circa ~ v4.19.58 Luis Chamberlain
2019-07-18 23:06 ` [PATCH 1/9] xfs: fix pagecache truncation prior to reflink Luis Chamberlain
2019-07-18 23:06 ` [PATCH 2/9] xfs: flush removing page cache in xfs_reflink_remap_prep Luis Chamberlain
2019-07-18 23:06 ` Luis Chamberlain [this message]
2019-07-18 23:06 ` [PATCH 4/9] xfs: rename m_inotbt_nores to m_finobt_nores Luis Chamberlain
2019-07-18 23:06 ` [PATCH 5/9] xfs: don't ever put nlink > 0 inodes on the unlinked list Luis Chamberlain
2019-07-18 23:06 ` [PATCH 6/9] xfs: reserve blocks for ifree transaction during log recovery Luis Chamberlain
2019-07-18 23:06 ` [PATCH 7/9] xfs: fix reporting supported extra file attributes for statx() Luis Chamberlain
2019-07-18 23:06 ` [PATCH 8/9] xfs: serialize unaligned dio writes against all other dio writes Luis Chamberlain
2019-07-18 23:06 ` [PATCH 9/9] xfs: abort unaligned nowait directio early Luis Chamberlain
2019-07-19 19:23 ` [PATCH 0/9] xfs: stable fixes for v4.19.y - circa ~ v4.19.58 Luis Chamberlain
2019-07-23 22:02   ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a5803404999 dfblob:3d213a7394c dfblob:63ee1d5bf1d
dfblob:9a63016009a )
 OR (
bs:"[PATCH 3/9] xfs: don't overflow xattr listent buffer" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190718230617.7439-4-mcgrof@kernel.org \
    --to=mcgrof@kernel.org \
    --cc=Alexander.Levin@microsoft.com \
    --cc=amir73il@gmail.com \
    --cc=darrick.wong@oracle.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hch@infradead.org \
    --cc=hch@lst.de \
    --cc=linux-xfs@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zlang@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.