From: "Pali Rohár" <pali@kernel.org>
To: linux-fsdevel@vger.kernel.org,
linux-ntfs-dev@lists.sourceforge.net, linux-cifs@vger.kernel.org,
jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Anton Altaparmakov <anton@tuxera.com>,
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
Luis de Bethencourt <luisbg@kernel.org>,
Salah Triki <salah.triki@gmail.com>,
Steve French <sfrench@samba.org>, Paulo Alcantara <pc@cjr.nz>,
Ronnie Sahlberg <lsahlber@redhat.com>,
Shyam Prasad N <sprasad@microsoft.com>,
Tom Talpey <tom@talpey.com>, Dave Kleikamp <shaggy@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Pavel Machek <pavel@ucw.cz>,
Christoph Hellwig <hch@infradead.org>,
Kari Argillander <kari.argillander@gmail.com>,
Viacheslav Dubeyko <slava@dubeyko.com>
Subject: [RFC PATCH v2 13/18] jfs: Fix buffer overflow in jfs_strfromUCS_le() function
Date: Mon, 26 Dec 2022 15:21:45 +0100 [thread overview]
Message-ID: <20221226142150.13324-14-pali@kernel.org> (raw)
In-Reply-To: <20221226142150.13324-1-pali@kernel.org>
Function jfs_strfromUCS_le() writes to unknown offset in buffer allocated
by __get_free_page(GFP_KERNEL). So it cannot expects that there is least
NLS_MAX_CHARSET_SIZE bytes space before end of that buffer.
Fix this issue by add a new parameter maxlen for jfs_strfromUCS_le()
function. And use it for passing remaining size of buffer to prevent buffer
overflow in kernel.
Signed-off-by: Pali Rohár <pali@kernel.org>
---
fs/jfs/jfs_dtree.c | 13 ++++++++++---
fs/jfs/jfs_unicode.c | 6 +++---
fs/jfs/jfs_unicode.h | 2 +-
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 92b7c533407c..a09c9bc46351 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -2715,6 +2715,7 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
int d_namleft, len, outlen;
unsigned long dirent_buf;
char *name_ptr;
+ int maxlen;
u32 dir_index;
int do_index = 0;
uint loop_count = 0;
@@ -2937,7 +2938,10 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
}
/* copy the name of head/only segment */
- outlen = jfs_strfromUCS_le(name_ptr, d->name, len,
+ maxlen = PAGE_SIZE - sizeof(struct jfs_dirent) -
+ (name_ptr - jfs_dirent->name);
+ outlen = jfs_strfromUCS_le(name_ptr, maxlen,
+ d->name, len,
codepage);
jfs_dirent->name_len = outlen;
@@ -2957,8 +2961,11 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
goto skip_one;
}
len = min(d_namleft, DTSLOTDATALEN);
- outlen = jfs_strfromUCS_le(name_ptr, t->name,
- len, codepage);
+ maxlen = PAGE_SIZE - sizeof(struct jfs_dirent) -
+ (name_ptr - jfs_dirent->name);
+ outlen = jfs_strfromUCS_le(name_ptr, maxlen,
+ t->name, len,
+ codepage);
jfs_dirent->name_len += outlen;
next = t->next;
diff --git a/fs/jfs/jfs_unicode.c b/fs/jfs/jfs_unicode.c
index 1d0f65d13b58..2db923872bf1 100644
--- a/fs/jfs/jfs_unicode.c
+++ b/fs/jfs/jfs_unicode.c
@@ -16,7 +16,7 @@
* FUNCTION: Convert little-endian unicode string to character string
*
*/
-int jfs_strfromUCS_le(char *to, const __le16 * from,
+int jfs_strfromUCS_le(char *to, int maxlen, const __le16 * from,
int len, struct nls_table *codepage)
{
int i;
@@ -25,12 +25,12 @@ int jfs_strfromUCS_le(char *to, const __le16 * from,
int warn = !!warn_again; /* once per string */
if (codepage) {
- for (i = 0; (i < len) && from[i]; i++) {
+ for (i = 0; (i < len) && from[i] && outlen < maxlen-1; i++) {
int charlen;
charlen =
codepage->uni2char(le16_to_cpu(from[i]),
&to[outlen],
- NLS_MAX_CHARSET_SIZE);
+ maxlen-1-outlen);
if (charlen > 0)
outlen += charlen;
else {
diff --git a/fs/jfs/jfs_unicode.h b/fs/jfs/jfs_unicode.h
index 9db62d047daa..8b5c74315e07 100644
--- a/fs/jfs/jfs_unicode.h
+++ b/fs/jfs/jfs_unicode.h
@@ -19,7 +19,7 @@ typedef struct {
extern signed char UniUpperTable[512];
extern UNICASERANGE UniUpperRange[];
extern int get_UCSname(struct component_name *, struct dentry *);
-extern int jfs_strfromUCS_le(char *, const __le16 *, int, struct nls_table *);
+extern int jfs_strfromUCS_le(char *, int, const __le16 *, int, struct nls_table *);
#define free_UCSname(COMP) kfree((COMP)->name)
--
2.20.1
next prev parent reply other threads:[~2022-12-26 14:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-26 14:21 [RFC PATCH v2 00/18] fs: Remove usage of broken nls_utf8 and drop it Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 01/18] fat: Fix iocharset=utf8 mount option Pali Rohár
2023-01-10 9:17 ` OGAWA Hirofumi
2023-02-04 10:57 ` Pali Rohár
2023-02-08 10:10 ` OGAWA Hirofumi
2022-12-26 14:21 ` [RFC PATCH v2 02/18] hfsplus: Add iocharset= mount option as alias for nls= Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 03/18] ntfs: Undeprecate iocharset= mount option Pali Rohár
2023-01-01 19:02 ` Kari Argillander
2023-01-01 19:06 ` Pali Rohár
2023-01-01 23:02 ` Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 04/18] ntfs: Fix error processing when load_nls() fails Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 05/18] befs: Fix printing iocharset= mount option Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 06/18] befs: Rename enum value Opt_charset to Opt_iocharset to match " Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 07/18] befs: Fix error processing when load_nls() fails Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 08/18] befs: Allow to use native UTF-8 mode Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 09/18] hfs: Explicitly set hsb->nls_disk when hsb->nls_io is set Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 10/18] hfs: Do not use broken utf8 NLS table for iocharset=utf8 mount option Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 11/18] hfsplus: " Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 12/18] jfs: Remove custom iso8859-1 implementation Pali Rohár
2022-12-26 14:21 ` Pali Rohár [this message]
2022-12-26 14:21 ` [RFC PATCH v2 14/18] jfs: Do not use broken utf8 NLS table for iocharset=utf8 mount option Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 15/18] ntfs: " Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 16/18] cifs: " Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 17/18] cifs: Remove usage of load_nls_default() calls Pali Rohár
2022-12-26 14:21 ` [RFC PATCH v2 18/18] nls: Drop broken nls_utf8 module Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221226142150.13324-14-pali@kernel.org \
--to=pali@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=anton@tuxera.com \
--cc=hch@infradead.org \
--cc=hirofumi@mail.parknet.co.jp \
--cc=jack@suse.cz \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=kari.argillander@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ntfs-dev@lists.sourceforge.net \
--cc=lsahlber@redhat.com \
--cc=luisbg@kernel.org \
--cc=pavel@ucw.cz \
--cc=pc@cjr.nz \
--cc=salah.triki@gmail.com \
--cc=sfrench@samba.org \
--cc=shaggy@kernel.org \
--cc=slava@dubeyko.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).