From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44154 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726902AbeKTQsj (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Tue, 20 Nov 2018 11:48:39 -0500
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAK6EEVC104663
        for <linux-fsdevel@vger.kernel.org>; Tue, 20 Nov 2018 01:21:13 -0500
Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2nvb4kuvvq-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-fsdevel@vger.kernel.org>; Tue, 20 Nov 2018 01:21:12 -0500
Received: from localhost
        by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-fsdevel@vger.kernel.org> from <chandan@linux.vnet.ibm.com>;
        Tue, 20 Nov 2018 06:21:10 -0000
From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
To: linux-fsdevel@vger.kernel.org
Cc: viro@zeniv.linux.org.uk, joe@perches.com,
        abdhalee@linux.vnet.ibm.com
Subject: Re: [PATCH RESEND] get_fs_type: Validate fs type string argument
Date: Tue, 20 Nov 2018 11:14:04 +0530
In-Reply-To: <20181120053642.24513-1-chandan@linux.vnet.ibm.com>
References: <20181120053642.24513-1-chandan@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Message-Id: <2024224.sHGP59Fbbc@localhost.localdomain>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Tuesday, November 20, 2018 11:06:42 AM IST Chandan Rajendra wrote:
> On ppc64le, When a string with PAGE_SIZE - 1 (i.e. 64k-1) length is
> passed as a "filesystem type" argument to the mount(2) syscall,
> copy_mount_string() ends up allocating 64k (the PAGE_SIZE on ppc64le)
> worth of space for holding the string in kernel's address space.
> 
> Later, in set_precision() (invoked by get_fs_type() ->
> __request_module() -> vsnprintf()), we end up assigning
> strlen(fs-type-string) i.e. 65535 as the
> value to 'struct printf_spec'->precision member. This field has a width
> of 16 bits and it is a signed data type. Hence an invalid value ends
> up getting assigned. This causes the "WARN_ONCE(spec->precision != prec,
> "precision %d too large", prec)" statement inside set_precision() to be
> executed.
> 
> This commit fixes the bug by validating the length of the "filesystem
> type" argument passed to get_fs_type() function.
>

The following is a trivial userspace program to recreate the issue,

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <sys/mount.h>

#define BUFSIZE 65536

char buf[BUFSIZE];

int main(int argc, char *argv[])
{
        int ret;

        if (argc != 3) {
                fprintf(stderr, "Usage: %s <device> <mount point>.\n", argv[0]);
                exit(1);
        }

        memset(buf, 1, BUFSIZE);

        buf[BUFSIZE-1] = '\0';
        printf("strlen(buf) = %lu.\n", strlen(buf));
        ret = mount(argv[1], argv[2], buf, 0, NULL);
        if (ret) {
                perror("mount");
                exit(0);
        }

        exit(1);
}

-- 
chandan