From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Li Nan <linan122@huawei.com>,
Wu Guanghao <wuguanghao3@huawei.com>,
Ard Biesheuvel <ardb@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 20/33] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Date: Tue, 2 Sep 2025 15:21:38 +0200 [thread overview]
Message-ID: <20250902131927.846198690@linuxfoundation.org> (raw)
In-Reply-To: <20250902131927.045875971@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
[ Upstream commit a6358f8cf64850f3f27857b8ed8c1b08cfc4685c ]
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
Call trace:
kasan_check_range+0xe8/0x190
__asan_loadN+0x1c/0x28
memcmp+0x98/0xd0
efivarfs_d_compare+0x68/0xd8
__d_lookup_rcu_op_compare+0x178/0x218
__d_lookup_rcu+0x1f8/0x228
d_alloc_parallel+0x150/0x648
lookup_open.isra.0+0x5f0/0x8d0
open_last_lookups+0x264/0x828
path_openat+0x130/0x3f8
do_filp_open+0x114/0x248
do_sys_openat2+0x340/0x3c0
__arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:
T1 T2
lookup_open
->lookup
simple_lookup
d_add
// invalid dentry is added to hash list
lookup_open
d_alloc_parallel
__d_lookup_rcu
__d_lookup_rcu_op_compare
hlist_bl_for_each_entry_rcu
// invalid dentry can be retrieved
->d_compare
efivarfs_d_compare
// oob
Fix it by checking 'guid' before cmp.
Fixes: da27a24383b2 ("efivarfs: guid part of filenames are case-insensitive")
Signed-off-by: Li Nan <linan122@huawei.com>
Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/efivarfs/super.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 99d002438008b..124db520b2bd6 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -47,6 +47,10 @@ static int efivarfs_d_compare(const struct dentry *dentry,
{
int guid = len - EFI_VARIABLE_GUID_LEN;
+ /* Parallel lookups may produce a temporary invalid filename */
+ if (guid <= 0)
+ return 1;
+
if (name->len != len)
return 1;
--
2.50.1
next prev parent reply other threads:[~2025-09-02 13:42 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:21 [PATCH 5.15 00/33] 5.15.191-rc1 review Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 01/33] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 02/33] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 03/33] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 04/33] ASoC: codecs: tx-macro: correct tx_macro_component_drv name Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 05/33] nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 06/33] NFS: Fix a race when updating an existing write Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 07/33] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 08/33] udf: Fix directory iteration for longer tail extents Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 09/33] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 10/33] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 11/33] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 12/33] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 13/33] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 14/33] phy: mscc: Fix when PTP clock is register and unregister Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 15/33] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 16/33] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 17/33] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 18/33] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 19/33] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:21 ` Greg Kroah-Hartman [this message]
2025-09-02 13:21 ` [PATCH 5.15 21/33] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 22/33] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 23/33] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 24/33] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 25/33] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 26/33] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 27/33] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 28/33] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 29/33] drm/nouveau/disp: Always accept linear modifier Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 30/33] HID: mcp2221: Dont set bus speed on every transfer Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 31/33] HID: mcp2221: Handle reads greater than 60 bytes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 32/33] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.15 33/33] xfs: do not propagate ENODATA disk errors into xattr code Greg Kroah-Hartman
2025-09-02 16:31 ` 5.15.191-rc1 review Brett A C Sheffield
2025-09-02 17:32 ` [PATCH 5.15 00/33] " Florian Fainelli
2025-09-02 18:03 ` Jon Hunter
2025-09-03 7:03 ` Naresh Kamboju
2025-09-03 8:00 ` Vijayendra Suman
2025-09-03 9:36 ` Ron Economos
2025-09-03 10:51 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131927.846198690@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ardb@kernel.org \
--cc=linan122@huawei.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wuguanghao3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).