summaryrefslogtreecommitdiffstats
path: root/freed-ora/current/f18/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
blob: 6c7f60dd9c69deb10bcfae2e5acb96486fc9fefa (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

Bugzilla: 1033603
Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654

Path: news.gmane.org!not-for-mail
From: Dan Carpenter <dan.carpenter@oracle.com>
Newsgroups: gmane.comp.file-systems.xfs.general
Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Date: Thu, 31 Oct 2013 21:00:10 +0300
Lines: 43
Approved: news@gmane.org
Message-ID: <20131031180010.GA24839@longonot.mountain>
References: <20131025144452.GA28451@ngolde.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
	Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
To: Ben Myers <bpm@sgi.com>
Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
Return-path: <xfs-bounces@oss.sgi.com>
Envelope-to: sgi-linux-xfs@gmane.org
Original-Received: from oss.sgi.com ([192.48.182.195])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <xfs-bounces@oss.sgi.com>)
	id 1Vbwag-0001Ow-Sv
	for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
Original-Received: from oss.sgi.com (localhost [IPv6:::1])
	by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
	Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: xfs@oss.sgi.com
Delivered-To: xfs@oss.sgi.com
Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
	by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
	by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
	cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
	cipher=AES256-SHA bits=256 verify=NO);
	Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
X-Barracuda-Envelope-From: dan.carpenter@oracle.com
X-Barracuda-Apparent-Source-IP: 156.151.31.81
Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
	ESMTP id r9VI3AZn009606
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Thu, 31 Oct 2013 18:03:11 GMT
Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r9VI39qG016923
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 31 Oct 2013 18:03:10 GMT
Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
Original-Received: from longonot.mountain (/105.160.144.228)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Content-Disposition: inline
In-Reply-To: <20131025144452.GA28451@ngolde.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
X-Barracuda-Start-Time: 1383242600
X-Barracuda-Encrypted: AES256-SHA
X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at sgi.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
	lines
X-BeenThere: xfs@oss.sgi.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
	<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
List-Archive: <http://oss.sgi.com/pipermail/xfs>
List-Post: <mailto:xfs@oss.sgi.com>
List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
	<mailto:xfs-request@oss.sgi.com?subject=subscribe>
Errors-To: xfs-bounces@oss.sgi.com
Original-Sender: xfs-bounces@oss.sgi.com
Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>

If we allocate less than sizeof(struct attrlist) then we end up
corrupting memory or doing a ZERO_PTR_SIZE dereference.

This can only be triggered with CAP_SYS_ADMIN.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 4d61340..33ad9a7 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
 		return -XFS_ERROR(EPERM);
 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
 		return -XFS_ERROR(EFAULT);
-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
 		return -XFS_ERROR(EINVAL);
 
 	/*
diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
index e8fb123..a7992f8 100644
--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
 	if (copy_from_user(&al_hreq, arg,
 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
 		return -XFS_ERROR(EFAULT);
-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
 		return -XFS_ERROR(EINVAL);
 
 	/*

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
OpenPOWER on IntegriCloud