From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-1372482-1517180729-2-7254391965548616563 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.001, RCVD_IN_DNSWL_HI -5, T_RP_MATCHES_RCVD -0.01, LANGUAGES en, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US', FromHeader='com', MailFrom='org', XOriginatingCountry='US' X-Spam-charsets: plain='iso-8859-1' X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=arctest; t=1517180729; b=HaEHyoMOC8MelqmfyI634hXnIqZhHZ/aI4KroV1B341URQ5 8Ue29G0RJIsNEZqJ1eahjqT4lWOaV3dDm4L3VO96dRieHLN8lKIhlXNM6PdvGEHu il6goSOYBd/BYybUVeu/xw7MDKM6cfyr7/+EpZbChOSi74qzdweKBcVIY3bSbeB9 DqLlQbWntosZbASm+l5xQ6Iz2mp75hX5ChAqD34WSjaPXKeZrq5ncv3IzMIIphSH RYY4LX1efgpiaVtExNDkTD+FXvPUllIaRrXG25vpQLWkNDOoKeowyLuLYd7soE71 jIN4xcDC9tPNof0gmRiax80YP0r2DDgc9V3ySnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:cc:subject:date:message-id :references:in-reply-to:content-type:content-transfer-encoding :mime-version:sender:list-id; s=arctest; t=1517180729; bh=NrPCjX w4jqITtNS6ZUnrw/WF95BSzVD1e7LrJ/h9dao=; b=ukg5U3mj1rxQgIFhtJUP/i H0gBkNaGR4hQD/0nnAJmrj6orfl2eqCzdDthSNxGOSqARg6Tt6PAg61wGV1KYexz +vgIHKroo5LCRuhe0E6cG+INXmTivfSz4f5tY8QDObXj9dhYGrYkZNBHcLr9P1xp gxzrrKdh2rBQnYBi6C1oET5IJR65a9YuTa68AFbYQZU1FPO+si9sU1vgvgq0ANM1 MzMez3wrpNpZg66hbWtxx1CGl34npYT0ffBK2NFEOkIJTJMqVe9PcU1vNWRn4E1O mxiTAoAj273EoXLWWB00ZIgB3O3QyhM2Z2fdGdsMiwL2JClEz8i0pwU3uHMLqukA == ARC-Authentication-Results: i=1; mx1.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=aSleHMwq x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Authentication-Results: mx1.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=aSleHMwq x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751821AbeA1XE4 (ORCPT ); Sun, 28 Jan 2018 18:04:56 -0500 Received: from mail-by2nam03on0134.outbound.protection.outlook.com ([104.47.42.134]:46538 "EHLO NAM03-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751572AbeA1W1h (ORCPT ); Sun, 28 Jan 2018 17:27:37 -0500 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Nikolay Borisov , David Sterba , Sasha Levin Subject: [PATCH AUTOSEL for 4.14 064/100] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Thread-Topic: [PATCH AUTOSEL for 4.14 064/100] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Thread-Index: AQHTmIcR7TyTwgvl1E27+LdCaKm0HQ== Date: Sun, 28 Jan 2018 22:26:40 +0000 Message-ID: <20180128222547.7398-64-alexander.levin@microsoft.com> References: <20180128222547.7398-1-alexander.levin@microsoft.com> In-Reply-To: <20180128222547.7398-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1034;7:CNw9hEWFDavoKcLztaOGyFL+eyFHTXr96yO59zvOqg5c8fACzdrM6qbHMCUGAc3yxrdXizEki4EmHnzqHLO0+AbbAB3lX4S6SKPGgji39L3U1LYJ27++6jlaGenl6FW0KNTqx8oeGcwRz5XvmcoRXf3cLd8FgS00k7bPf8ff9vI6Ei6kBFV34JzY/IL6s6bdekBlMZAb29pA3qZLuACmGXXeWMn16guKD0uiJWhRx4vBAmns3swPqxb6NeNghFOm x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: fe0e1e4b-5d52-4131-7f7f-08d5669e5437 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1034; x-ms-traffictypediagnostic: MW2PR2101MB1034: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231101)(944501161)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011);SRVR:MW2PR2101MB1034;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1034; x-forefront-prvs: 05669A7924 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39860400002)(346002)(376002)(396003)(366004)(39380400002)(199004)(189003)(2906002)(2950100002)(26005)(1076002)(66066001)(6116002)(5660300001)(3846002)(186003)(316002)(22452003)(54906003)(110136005)(6666003)(86612001)(36756003)(6486002)(86362001)(53936002)(6436002)(6512007)(106356001)(8676002)(105586002)(305945005)(7736002)(68736007)(478600001)(81166006)(59450400001)(102836004)(76176011)(6506007)(72206003)(10290500003)(14454004)(2900100001)(3660700001)(99286004)(97736004)(81156014)(25786009)(8936002)(4326008)(5250100002)(3280700002)(2501003)(10090500001)(107886003)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1034;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; x-microsoft-antispam-message-info: kVY6Hc1ZeEEVWa8M+B8Kc/i6Ifz00sBC6Bjl9ACfaYzNrlOK08yMKBx2dKcjuTMNNPA93mEQEMUhqKBWDIMP5g== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: fe0e1e4b-5d52-4131-7f7f-08d5669e5437 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2018 22:26:40.8308 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1034 Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: From: Nikolay Borisov [ Upstream commit c8bcbfbd239ed60a6562964b58034ac8a25f4c31 ] The name char array passed to btrfs_search_path_in_tree is of size BTRFS_INO_LOOKUP_PATH_MAX (4080). So the actual accessible char indexes are in the range of [0, 4079]. Currently the code uses the define but this represents an off-by-one. Implications: Size of btrfs_ioctl_ino_lookup_args is 4096, so the new byte will be written to extra space, not some padding that could be provided by the allocator. btrfs-progs store the arguments on stack, but kernel does own copy of the ioctl buffer and the off-by-one overwrite does not affect userspace, but the ending 0 might be lost. Kernel ioctl buffer is allocated dynamically so we're overwriting somebody else's memory, and the ioctl is privileged if args.objectid is not 256. Which is in most cases, but resolving a subvolume stored in another directory will trigger that path. Before this patch the buffer was one byte larger, but then the -1 was not added. Fixes: ac8e9819d71f907 ("Btrfs: add search and inode lookup ioctls") Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba [ added implications ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 1f1338d52303..2763f3184ac5 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2221,7 +2221,7 @@ static noinline int btrfs_search_path_in_tree(struct = btrfs_fs_info *info, if (!path) return -ENOMEM; =20 - ptr =3D &name[BTRFS_INO_LOOKUP_PATH_MAX]; + ptr =3D &name[BTRFS_INO_LOOKUP_PATH_MAX - 1]; =20 key.objectid =3D tree_id; key.type =3D BTRFS_ROOT_ITEM_KEY; --=20 2.11.0