Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-16 18:08:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux/fs
History
Eric Sandeen fa520c47ea fscache: Fix out of bound read in long cookie keys 
fscache_set_key() can incur an out-of-bounds read, reported by KASAN:

 BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
 Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615

and also reported by syzbot at https://lkml.org/lkml/2018/7/8/236

  BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
  BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
  Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466

This happens for any index_key_len which is not divisible by 4 and is
larger than the size of the inline key, because the code allocates exactly
index_key_len for the key buffer, but the hashing loop is stepping through
it 4 bytes (u32) at a time in the buf[] array.

Fix this by calculating how many u32 buffers we'll need by using
DIV_ROUND_UP, and then using kcalloc() to allocate a precleared allocation
buffer to hold the index_key, then using that same count as the hashing
index limit.

Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-18 11:32:21 +02:00
..
9p
Pull request for inclusion in 4.19, take two
2018-08-17 17:27:58 -07:00
adfs
adfs: use timespec64 for time conversion
2018-08-22 10:52:51 -07:00
affs
affs: fix potential memory leak when parsing option 'prefix'
2018-05-28 12:36:41 +02:00
afs
afs: Fix clearance of reply
2018-10-15 15:31:47 +02:00
autofs
Merge branch 'akpm' (patches from Andrew)
2018-08-22 12:34:08 -07:00
befs
fix a series of Documentation/ broken file name references
2018-06-15 18:10:01 -03:00
bfs
bfs_add_entry: pass name/len as qstr pointer
2018-05-22 14:27:50 -04:00
btrfs
for-4.19-rc2-tag
2018-09-06 09:04:45 -07:00
cachefiles
cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
2018-10-18 11:32:21 +02:00
ceph
ceph: avoid a use-after-free in ceph_destroy_options()
2018-09-06 16:18:04 +02:00
cifs
smb3: fix lease break problem introduced by compounding
2018-10-02 18:54:09 -05:00
coda
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
configfs
configfs: fix registered group removal
2018-07-17 06:14:07 -07:00
cramfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
crypto
f2fs-for-4.18-rc1
2018-06-11 10:16:13 -07:00
debugfs
Revert "debugfs: inode: debugfs_create_dir uses mode permission from parent"
2018-06-12 20:52:16 -07:00
devpts
devpts: Convert to new IDA API
2018-08-21 23:54:17 -04:00
dlm
treewide: Use array_size() in vmalloc()
2018-06-12 16:19:22 -07:00
ecryptfs
Merge branch 'fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into aio-base
2018-05-26 09:16:25 +02:00
efivarfs
efivars: Call guid_parse() against guid_t type of variable
2018-07-22 14:13:44 +02:00
efs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
exofs
exofs: use bio_clone_fast in _write_mirror
2018-07-24 14:43:20 -06:00
exportfs
ovl: do not try to reconnect a disconnected origin dentry
2018-04-12 12:04:49 +02:00
ext2
ext2, dax: set ext2_dax_aops for dax files
2018-09-19 15:03:04 +02:00
ext4
Various ext4 bug fixes; primarily making ext4 more robust against
2018-09-17 09:13:47 +02:00
f2fs
f2fs-for-4.19-rc1
2018-08-22 13:29:39 -07:00
fat
fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
2018-10-13 09:31:03 +02:00
freevxfs
freevxfs_lookup(): use d_splice_alias()
2018-05-22 14:27:51 -04:00
fscache
fscache: Fix out of bound read in long cookie keys
2018-10-18 11:32:21 +02:00
fuse
fuse update for 4.19
2018-08-21 18:47:36 -07:00
gfs2
gfs2: Fix iomap buffered write support for journaled files (2)
2018-10-12 17:14:42 +02:00
hfs
hfs: prevent crash on exit from failed search
2018-08-23 18:48:42 -07:00
hfsplus
hfsplus: prevent crash on exit from failed search
2018-08-23 18:48:42 -07:00
hostfs
vfs: discard ATTR_ATTR_FLAG
2018-08-17 16:20:28 -07:00
hpfs
hpfs: remove unnecessary checks on the value of r when assigning error code
2018-08-25 12:42:33 -07:00
hugetlbfs
mm: zero out the vma in vma_init()
2018-08-22 10:52:44 -07:00
isofs
isofs: reject hardware sector size > 2048 bytes
2018-08-21 11:37:41 +02:00
jbd2
jbd2: replace current_kernel_time64 with ktime equivalent
2018-07-29 15:51:47 -04:00
jffs2
jffs2: use unsigned 32-bit timstamps consistently
2018-07-18 16:44:01 +02:00
jfs
Just one jfs patch for 4.19
2018-08-15 22:47:23 -07:00
kernfs
Driver core patches for 4.19-rc1
2018-08-18 11:44:53 -07:00
lockd
nfsd: fix leaked file lock with nfs exported overlayfs
2018-08-09 16:11:21 -04:00
minix
minix_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
nfs
NFS client bugfixes for Linux 4.19
2018-09-14 19:25:28 -10:00
nfs_common
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfsd
vfs: swap names of {do,vfs}_clone_file_range()
2018-09-24 10:54:01 +02:00
nilfs2
nilfs2: convert to SPDX license tags
2018-09-04 16:45:02 -07:00
nls
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
notify
fsnotify: fix ignore mask logic in fsnotify()
2018-09-03 14:57:41 +02:00
ntfs
ntfs: mft: remove VLA usage
2018-08-17 16:20:27 -07:00
ocfs2
ocfs2: fix a GCC warning
2018-10-13 09:31:02 +02:00
omfs
omfs_lookup(): report IO errors, use d_splice_alias()
2018-05-22 14:27:58 -04:00
openpromfs
openpromfs: switch to d_splice_alias()
2018-05-22 14:27:57 -04:00
orangefs
orangefs: remove redundant pointer orangefs_inode
2018-08-14 12:07:14 -04:00
overlayfs
ovl: fix format of setxattr debug
2018-10-04 14:49:10 +02:00
proc
proc: restrict kernel stack dumps to root
2018-10-05 16:32:05 -07:00
pstore
pstore/ram: Fix failure-path memory leak in ramoops_init
2018-09-30 10:15:41 -07:00
qnx4
qnx4_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
qnx6
qnx6_lookup: switch to d_splice_alias()
2018-05-22 14:27:54 -04:00
quota
fs/quota: Fix spectre gadget in do_quotactl
2018-08-22 18:17:48 +02:00
ramfs
mm: make pagevec_lookup() update index
2017-09-06 17:27:26 -07:00
reiserfs
reiserfs: fix broken xattr handling (heap corruption, bad retval)
2018-08-22 10:52:50 -07:00
romfs
romfs_lookup: switch to d_splice_alias()
2018-05-22 14:27:55 -04:00
squashfs
Squashfs: Compute expected length from inode size rather than block length
2018-08-02 09:34:02 -07:00
sysfs
Driver core patches for 4.19-rc1
2018-08-18 11:44:53 -07:00
sysv
fs/sysv/inode.c: use ktime_get_real_seconds() for superblock stamp
2018-08-22 10:52:51 -07:00
tracefs
tracefs: Annotate tracefs_ops with __ro_after_init
2018-07-31 11:32:44 -04:00
ubifs
ubifs: Fix WARN_ON logic in exit path
2018-10-13 11:05:02 +02:00
udf
udf: Fix mounting of Win7 created UDF filesystems
2018-08-24 11:13:32 +02:00
ufs
fs/ufs: use ktime_get_real_seconds for sb and cg timestamps
2018-08-17 16:20:27 -07:00
xfs
xfs: fix data corruption w/ unaligned reflink ranges
2018-10-06 11:44:39 +10:00
aio.c
Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-08-13 20:56:23 -07:00
anon_inodes.c
anon_inode_getfile(): switch to alloc_file_pseudo()
2018-07-12 10:04:27 -04:00
attr.c
fs: Fix attr.c kernel-doc
2018-07-03 16:44:45 -04:00
bad_inode.c
get rid of 'opened' argument of ->atomic_open() - part 3
2018-07-12 10:04:20 -04:00
binfmt_aout.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_elf_fdpic.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
binfmt_elf.c
Here are the main MIPS changes for 4.19.
2018-08-13 19:24:32 -07:00
binfmt_em86.c
binfmt_flat.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_misc.c
turn filp_clone_open() into inline wrapper for dentry_open()
2018-07-10 23:29:03 -04:00
binfmt_script.c
exec: load_script: kill the onstack interp[BINPRM_BUF_SIZE] array
2017-10-03 17:54:25 -07:00
block_dev.c
for-4.19/block-20180812
2018-08-14 10:23:25 -07:00
buffer.c
notifier: Remove notifier header file wherever not used
2018-08-30 12:56:40 +02:00
char_dev.c
block, char_dev: Use correct format specifier for unsigned ints
2018-03-15 17:59:24 +01:00
compat_binfmt_elf.c
compat_ioctl.c
media: dvb/audio.h: get rid of unused APIs
2018-07-30 16:21:49 -04:00
compat.c
ncpfs: remove compat functionality
2018-06-05 19:23:26 +02:00
coredump.c
Merge branch 'misc.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-11-17 11:54:55 -08:00
d_path.c
split d_path() and friends into a separate file
2018-03-29 15:07:46 -04:00
dax.c
filesystem-dax: Fix dax_layout_busy_page() livelock
2018-10-08 11:38:44 -07:00
dcache.c
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
2018-08-17 16:20:28 -07:00
dcookies.c
fs: add do_lookup_dcookie() helper; remove in-kernel call to syscall
2018-04-02 20:15:39 +02:00
direct-io.c
block: consistently use GFP_NOIO instead of __GFP_NORECLAIM
2018-05-14 08:55:18 -06:00
drop_caches.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
eventfd.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
eventpoll.c
fs/eventpoll.c: simplify ep_is_linked() callers
2018-08-22 10:52:49 -07:00
exec.c
Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2018-08-21 13:47:29 -07:00
fcntl.c
signal: Don't send signals to tasks that don't exist
2018-08-15 23:03:20 -05:00
fhandle.c
vfs: Copy struct mount.mnt_id to userspace using put_user()
2018-01-15 12:07:51 -08:00
file_table.c
overlayfs update for 4.19
2018-08-21 18:19:09 -07:00
file.c
fs: add ksys_close() wrapper; remove in-kernel calls to sys_close()
2018-04-02 20:16:00 +02:00
filesystems.c
proc: introduce proc_create_single{,_data}
2018-05-16 07:23:35 +02:00
fs_pin.c
Merge branch 'linus' into locking/core, to resolve conflicts
2017-11-07 10:32:44 +01:00
fs_struct.c
fs-writeback.c
bdi: Fix oops in wb_workfn()
2018-05-03 16:11:37 -06:00
inode.c
overlayfs update for 4.19
2018-08-21 18:19:09 -07:00
internal.h
overlayfs update for 4.19
2018-08-21 18:19:09 -07:00
ioctl.c
vfs: swap names of {do,vfs}_clone_file_range()
2018-09-24 10:54:01 +02:00
iomap.c
iomap: set page dirty after partial delalloc on mkwrite
2018-09-29 13:51:01 +10:00
Kconfig
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
Kconfig.binfmt
kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt
2018-08-02 08:06:55 +09:00
libfs.c
fs, dax: prepare for dax-specific address_space_operations
2018-03-30 11:34:55 -07:00
locks.c
overlayfs update for 4.19
2018-08-21 18:19:09 -07:00
Makefile
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
mbcache.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
mount.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mpage.c
mpage: mpage_readpages() should submit IO as read-ahead
2018-08-17 16:20:29 -07:00
namei.c
namei: allow restricted O_CREAT of FIFOs and regular files
2018-08-23 18:48:43 -07:00
namespace.c
Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax
2018-08-26 11:48:42 -07:00
no-block.c
nsfs.c
net: Export open_related_ns()
2018-02-15 15:34:42 -05:00
open.c
overlayfs update for 4.19
2018-08-21 18:19:09 -07:00
pipe.c
Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-08-13 19:58:36 -07:00
pnode.c
pnode.h
posix_acl.c
posix_acl: convert posix_acl.a_refcount from atomic_t to refcount_t
2018-01-02 19:27:28 -08:00
proc_namespace.c
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
read_write.c
vfs: swap names of {do,vfs}_clone_file_range()
2018-09-24 10:54:01 +02:00
readdir.c
fs: add ksys_getdents64() helper; remove in-kernel calls to sys_getdents64()
2018-04-02 20:16:02 +02:00
select.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
seq_file.c
fs/seq_file.c: simplify seq_file iteration code and interface
2018-08-17 16:20:28 -07:00
signalfd.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
splice.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
stack.c
stat.c
fs: add do_readlinkat() helper; remove internal call to sys_readlinkat()
2018-04-02 20:15:34 +02:00
statfs.c
kernel: add kcompat_sys_{f,}statfs64()
2018-07-12 14:49:48 +01:00
super.c
Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax
2018-08-26 11:48:42 -07:00
sync.c
Changes for this release:
2018-04-04 12:44:02 -07:00
timerfd.c
Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-08-13 20:56:23 -07:00
userfaultfd.c
mm: Change return type int to vm_fault_t for fault handlers
2018-08-23 18:48:44 -07:00
utimes.c
fs: add do_compat_futimesat() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:44 +02:00
xattr.c
sysfs: Do not return POSIX ACL xattrs via listxattr
2018-09-18 07:30:48 -04:00