From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Al Viro <viro@ZenIV.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: [PATCH] vfs: reject inodes with negative size to prevent kernel hang
Date: Tue, 6 Dec 2016 16:32:22 -0800 [thread overview]
Message-ID: <20161207003222.GI16807@birch.djwong.org> (raw)
Due to insufficient input validation, various filesystem drivers can
load an inode with a negative size from a maliciously crafted fs image.
If this happens, a subsequent write-append operation can cause integer
overflows in the writeback code, causing the kernel to lock up.
Therefore, if we catch anyone trying to link a dentry to a garbage
inode, reject the whole attempt.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
The regression tests for this bug are {ext4,xfs}/40[01] in the patch
"xfs/ext4: check negative inode size" that I just sent to fstests@vger.
I realize it's /very/ late in the 4.9 cycle, but this seemed like the
most general way to fix this problem.
Perhaps a better fix is to strengthen the _iget verification in every
filesystem, which I'm working on for 4.10. But we should at the very
least bonk suspicious looking activity. :)
---
fs/dcache.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/fs/dcache.c b/fs/dcache.c
index 5c7cc95..6a253a4 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2524,6 +2524,17 @@ static inline void __d_add(struct dentry *dentry, struct inode *inode)
n = start_dir_add(dir);
__d_lookup_done(dentry);
}
+
+ /*
+ * Someone fed us an inode with negative size?! This can cause
+ * integer overflows in other parts of the VFS, so reject this.
+ */
+ if (inode && i_size_read(inode) < 0) {
+ WARN_ON_ONCE(1);
+ iput(inode);
+ inode = NULL;
+ }
+
if (inode) {
unsigned add_flags = d_flags_for_inode(inode);
hlist_add_head(&dentry->d_u.d_alias, &inode->i_dentry);
@@ -2946,6 +2957,16 @@ struct dentry *d_splice_alias(struct inode *inode, struct dentry *dentry)
if (!inode)
goto out;
+ /*
+ * Someone fed us an inode with negative size?! This can cause
+ * integer overflows in other parts of the VFS, so reject this.
+ */
+ if (i_size_read(inode) < 0) {
+ WARN_ON_ONCE(1);
+ iput(inode);
+ return ERR_PTR(-EUCLEAN);
+ }
+
security_d_instantiate(dentry, inode);
spin_lock(&inode->i_lock);
if (S_ISDIR(inode->i_mode)) {
next reply other threads:[~2016-12-07 0:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 0:32 Darrick J. Wong [this message]
2016-12-07 3:54 ` [PATCH] vfs: reject inodes with negative size to prevent kernel hang kbuild test robot
2016-12-08 6:10 ` Darrick J. Wong
2016-12-10 1:59 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161207003222.GI16807@birch.djwong.org \
--to=darrick.wong@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).