Amir Goldstein 522f6e6cba ovl: fix out of bounds access warning in ovl_check_fb_len() ... syzbot reported out of bounds memory access from open_by_handle_at() with a crafted file handle that looks like this: { .handle_bytes = 2, .handle_type = OVL_FILEID_V1 } handle_bytes gets rounded down to 0 and we end up calling: ovl_check_fh_len(fh, 0) => ovl_check_fb_len(fh + 3, -3) But fh buffer is only 2 bytes long, so accessing struct ovl_fb at fh + 3 is illegal. Fixes: cbe7fba8ed ("ovl: make sure that real fid is 32bit aligned in memory") Reported-and-tested-by: syzbot+61958888b1c60361a791@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # v5.5 Signed-off-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>		2020-06-02 22:20:25 +02:00
..
copy_up.c	ovl: prepare to copy up without workdir	2020-05-13 11:11:24 +02:00
dir.c	ovl: whiteout inode sharing	2020-05-13 11:11:24 +02:00
export.c	ovl: return required buffer size for file handles	2020-05-13 11:11:24 +02:00
file.c	ovl: fix lockdep warning for async write	2020-03-13 15:53:06 +01:00
inode.c	ovl: clear ATTR_OPEN from attr->ia_valid	2020-04-30 11:52:07 +02:00
Kconfig	ovl: fix some xino configurations	2020-03-13 15:53:06 +01:00
Makefile	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
namei.c	ovl: cleanup non-empty directories in ovl_indexdir_cleanup()	2020-05-13 11:11:24 +02:00
overlayfs.h	ovl: fix out of bounds access warning in ovl_check_fb_len()	2020-06-02 22:20:25 +02:00
ovl_entry.h	ovl: whiteout inode sharing	2020-05-13 11:11:24 +02:00
readdir.c	ovl: whiteout inode sharing	2020-05-13 11:11:24 +02:00
super.c	ovl: sync dirty data when remounting to ro mode	2020-05-13 11:11:24 +02:00
util.c	ovl: whiteout inode sharing	2020-05-13 11:11:24 +02:00