[PATCH 3.2 42/46] get_rock_ridge_filename(): handle malformed NM entries

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Al Viro" <viro@zeniv.linux.org.uk>
Subject: [PATCH 3.2 42/46] get_rock_ridge_filename(): handle malformed NM entries
Date: Sun, 12 Jun 2016 22:34:42 +0100	[thread overview]
Message-ID: <lsq.1465767282.477281548@decadent.org.uk> (raw)
In-Reply-To: <lsq.1465767281.501580564@decadent.org.uk>

3.2.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream.

Payloads of NM entries are not supposed to contain NUL.  When we run
into such, only the part prior to the first NUL goes into the
concatenation (i.e. the directory entry name being encoded by a bunch
of NM entries).  We do stop when the amount collected so far + the
claimed amount in the current NM entry exceed 254.  So far, so good,
but what we return as the total length is the sum of *claimed*
sizes, not the actual amount collected.  And that can grow pretty
large - not unlimited, since you'd need to put CE entries in
between to be able to get more than the maximum that could be
contained in one isofs directory entry / continuation chunk and
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
easily.  And that's what will be passed to readdir callback as the
name length.  8Kb __copy_to_user() from a buffer allocated by
__get_free_page()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/isofs/rock.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_d
 	int retnamlen = 0;
 	int truncate = 0;
 	int ret = 0;
+	char *p;
+	int len;

 	if (!ISOFS_SB(inode->i_sb)->s_rock)
 		return 0;
@@ -267,12 +269,17 @@ repeat:
 					rr->u.NM.flags);
 				break;
 			}
-			if ((strlen(retname) + rr->len - 5) >= 254) {
+			len = rr->len - 5;
+			if (retnamlen + len >= 254) {
 				truncate = 1;
 				break;
 			}
-			strncat(retname, rr->u.NM.name, rr->len - 5);
-			retnamlen += rr->len - 5;
+			p = memchr(rr->u.NM.name, '\0', len);
+			if (unlikely(p))
+				len = p - rr->u.NM.name;
+			memcpy(retname + retnamlen, rr->u.NM.name, len);
+			retnamlen += len;
+			retname[retnamlen] = '\0';
 			break;
 		case SIG('R', 'E'):
 			kfree(rs.buffer);

next prev parent reply	other threads:[~2016-06-12 21:35 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-12 21:34 [PATCH 3.2 00/46] 3.2.81-rc1 review Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 17/46] usb: hcd: out of bounds access in for_each_companion Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 03/46] x86/microcode/amd: Extract current patch level read to a function Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 15/46] usb: xhci: fix wild pointers in xhci_mem_cleanup Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 01/46] Revert "ax25: add link layer header validation function" Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 09/46] ipmi: fix timeout calculation when bmc is disconnected Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 16/46] USB: uas: Add a new NO_REPORT_LUNS quirk Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 13/46] nl80211: check netlink protocol in socket release notification Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 12/46] kvm: x86: do not leak guest xcr0 into host interrupt handlers Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 02/46] Revert "net: validate variable length ll headers" Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 05/46] crypto: gcm - fix rfc4543 to handle async crypto correctly Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 04/46] x86/microcode/amd: Do not overwrite final patch levels Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 11/46] libahci: save port map for forced port map Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 08/46] x86, sparse: Do not force removal of __user when calling copy_to/from_user_nocheck() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 18/46] Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 10/46] Input: gtco - fix crash on detecting device without endpoints Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 14/46] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 06/46] crypto: gcm - Fix rfc4543 decryption crash Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 07/46] x86: Add 1/2/4/8 byte optimization to 64bit __copy_{from,to}_user_inatomic Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 20/46] atl2: Disable unimplemented scatter/gather feature Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 30/46] drm/i915: Fix system resume if PCI device remained enabled Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 40/46] proc: prevent accessing /proc/<PID>/environ until it's ready Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 36/46] Minimal fix-up of bad hashing behavior of hash_64() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 44/46] net: fix infoleak in llc Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 39/46] crypto: hash - Fix page length clamping in hash walk Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 38/46] ACPICA: Dispatcher: Update thread ID for recursive method calls Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 37/46] drm/radeon: make sure vertical front porch is at least 1 Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 35/46] Make hash_64() use a 64-bit multiply when appropriate Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 24/46] x86/mm/xen: Suppress hugetlbfs in PV guests Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 26/46] batman-adv: Reduce refcnt of removed router when updating route Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 31/46] IB/security: Restrict use of the write() interface Ben Hutchings
2016-06-14 21:11   ` Sudip Mukherjee
2016-06-14 21:23     ` Ben Hutchings
2016-06-14 22:04       ` Sudip Mukherjee
2016-06-12 21:34 ` [PATCH 3.2 46/46] net: fix a kernel infoleak in x25 module Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 27/46] batman-adv: Fix broadcast/ogm queue limit on a removed interface Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 29/46] USB: serial: cp210x: add Straizona Focusers device ids Ben Hutchings
2016-06-12 21:34 ` Ben Hutchings [this message]
2016-06-12 21:34 ` [PATCH 3.2 32/46] thp: introduce hugepage_vma_check() Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 34/46] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 23/46] s390/hugetlb: add hugepages_supported define Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 45/46] net: fix infoleak in rtnetlink Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 28/46] USB: serial: cp210x: add ID for Link ECU Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 33/46] mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 19/46] powerpc: scan_features() updates incorrect bits for REAL_LE Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 25/46] batman-adv: Check skb size before using encapsulated ETH+VLAN header Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 43/46] nf_conntrack: avoid kernel pointer value leak in slab name Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 22/46] mm: hugetlb: allow hugepages_supported to be architecture specific Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 41/46] parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls Ben Hutchings
2016-06-12 21:34 ` [PATCH 3.2 21/46] hugetlb: ensure hugepage access is denied if hugepages are not supported Ben Hutchings
2016-06-12 23:13 ` [PATCH 3.2 00/46] 3.2.81-rc1 review Guenter Roeck
2016-06-12 23:49   ` Ben Hutchings
2016-06-13 18:45 ` Ben Hutchings
2016-06-14 21:56 ` Sudip Mukherjee
2016-06-14 22:16   ` Ben Hutchings
2016-06-14 22:35     ` Sudip Mukherjee
2017-10-08 18:55       ` Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1465767282.477281548@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox