From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Jeff Mahoney <jeffm@suse.com>, Eric Biggers <ebiggers@google.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.18 56/56] reiserfs: fix broken xattr handling (heap corruption, bad retval)
Date: Sun, 26 Aug 2018 08:45:17 +0200 [thread overview]
Message-ID: <20180826064234.971688832@linuxfoundation.org> (raw)
In-Reply-To: <20180826064232.320669119@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
This fixes the following issues:
- When a buffer size is supplied to reiserfs_listxattr() such that each
individual name fits, but the concatenation of all names doesn't fit,
reiserfs_listxattr() overflows the supplied buffer. This leads to a
kernel heap overflow (verified using KASAN) followed by an out-of-bounds
usercopy and is therefore a security bug.
- When a buffer size is supplied to reiserfs_listxattr() such that a
name doesn't fit, -ERANGE should be returned. But reiserfs instead just
truncates the list of names; I have verified that if the only xattr on a
file has a longer name than the supplied buffer length, listxattr()
incorrectly returns zero.
With my patch applied, -ERANGE is returned in both cases and the memory
corruption doesn't happen anymore.
Credit for making me clean this code up a bit goes to Al Viro, who pointed
out that the ->actor calling convention is suboptimal and should be
changed.
Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -842,8 +842,10 @@ static int listxattr_filler(void *buf, c
size = handler->list(b->dentry, b->buf + b->pos,
b->size, name, namelen,
handler->flags);
- if (size > b->size)
+ if (b->pos + size > b->size) {
+ b->pos = -ERANGE;
return -ERANGE;
+ }
} else {
size = handler->list(b->dentry, NULL, 0, name,
namelen, handler->flags);
next prev parent reply other threads:[~2018-08-26 6:48 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-26 6:44 [PATCH 3.18 00/56] 3.18.120-stable review Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 01/56] dccp: fix undefined behavior with cwnd shift in ccid2_cwnd_restart() Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 02/56] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 03/56] llc: use refcount_inc_not_zero() for llc_sap_find() Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 04/56] net_sched: Fix missing res info when create new tc_index filter Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 05/56] net_sched: fix NULL pointer dereference when delete tcindex filter Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 06/56] vsock: split dwork to avoid reinitializations Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 07/56] ALSA: vx222: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 08/56] ALSA: virmidi: Fix too long output trigger loop Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 09/56] ALSA: cs5535audio: Fix invalid endian conversion Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 10/56] ALSA: memalloc: Dont exceed over the requested size Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 11/56] ALSA: vxpocket: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 12/56] USB: serial: sierra: fix potential deadlock at close Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 13/56] serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 14/56] Bluetooth: avoid killing an already killed socket Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 15/56] isdn: Disable IIOCDBGVAR Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 16/56] netfilter: ipv6: nf_defrag: reduce struct net memory waste Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 17/56] selftests: sync: add config fragment for testing sync framework Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 18/56] usb: dwc2: fix isoc split in transfer with no data Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 19/56] usb: gadget: composite: fix delayed_status race condition when set_interface Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 20/56] arm64: make secondary_start_kernel() notrace Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 21/56] enic: initialize enic->rfs_h.lock in enic_probe Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 22/56] net: hamradio: use eth_broadcast_addr Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 23/56] net: propagate dev_get_valid_name return code Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 24/56] net: davinci_emac: match the mdio device against its compatible if possible Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 25/56] locking/lockdep: Do not record IRQ state within lockdep code Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 26/56] ipv6: mcast: fix unsolicited report interval after receiving querys Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 27/56] Smack: Mark inode instant in smack_task_to_inode Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 28/56] cxgb4: when disabling dcb set txq dcb priority to 0 Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 29/56] brcmfmac: stop watchdog before detach and free everything Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 30/56] ARM: dts: am437x: make edt-ft5x06 a wakeup source Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 31/56] perf report powerpc: Fix crash if callchain is empty Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 32/56] ARM: dts: da850: Fix interrups property for gpio Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 33/56] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 34/56] md/raid10: fix that replacement cannot complete recovery after reassemble Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 35/56] drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 36/56] bnx2x: Fix receiving tx-timeout in error or recovery state Greg Kroah-Hartman
2018-08-26 6:44 ` [PATCH 3.18 38/56] ARM: imx_v4_v5_defconfig: Select ULPI support Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 40/56] smsc75xx: Add workaround for gigabit link up hardware errata Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 41/56] netfilter: x_tables: set module owner for icmp(6) matches Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 42/56] ARM: pxa: irq: fix handling of ICMR registers in suspend/resume Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 43/56] drm/armada: fix colorkey mode property Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 44/56] ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 45/56] ixgbe: Be more careful when modifying MAC filters Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 46/56] qlogic: check kstrtoul() for errors Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 47/56] net: usb: rtl8150: demote allmulti message to dev_dbg() Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 48/56] net: qca_spi: Avoid packet drop during initial sync Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 49/56] net: qca_spi: Make sure the QCA7000 reset is triggered Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 51/56] staging: android: ion: check for kref overflow Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 52/56] xfrm_user: prevent leaking 2 bytes of kernel memory Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 53/56] netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 54/56] packet: refine ring v3 block size test to hold one frame Greg Kroah-Hartman
2018-08-26 6:45 ` [PATCH 3.18 55/56] PCI: hotplug: Dont leak pci_slot on registration failure Greg Kroah-Hartman
2018-08-26 6:45 ` Greg Kroah-Hartman [this message]
2018-08-26 8:14 ` [PATCH 3.18 00/56] 3.18.120-stable review Nathan Chancellor
2018-08-26 8:44 ` Greg Kroah-Hartman
2018-08-26 14:04 ` Guenter Roeck
2018-08-27 19:30 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180826064234.971688832@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=ebiggers@google.com \
--cc=jannh@google.com \
--cc=jeffm@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).