Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-21 07:23:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
3b50086f0c
linux/fs/xfs
History
Darrick J. Wong 3b50086f0c xfs: don't overflow xattr listent buffer 
For VFS listxattr calls, xfs_xattr_put_listent calls
__xfs_xattr_put_listent twice if it sees an attribute
"trusted.SGI_ACL_FILE": once for that name, and again for
"system.posix_acl_access".  Unfortunately, if we happen to run out of
buffer space while emitting the first name, we set count to -1 (so that
we can feed ERANGE to the caller).  The second invocation doesn't check that
the context parameters make sense and overwrites the byte before the
buffer, triggering a KASAN report:

==================================================================
BUG: KASAN: slab-out-of-bounds in strncpy+0xb3/0xd0
Write of size 1 at addr ffff88807fbd317f by task syz/1113

CPU: 3 PID: 1113 Comm: syz Not tainted 5.0.0-rc6-xfsx #rc6
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 dump_stack+0xcc/0x180
 print_address_description+0x6c/0x23c
 kasan_report.cold.3+0x1c/0x35
 strncpy+0xb3/0xd0
 __xfs_xattr_put_listent+0x1a9/0x2c0 [xfs]
 xfs_attr_list_int_ilocked+0x11af/0x1800 [xfs]
 xfs_attr_list_int+0x20c/0x2e0 [xfs]
 xfs_vn_listxattr+0x225/0x320 [xfs]
 listxattr+0x11f/0x1b0
 path_listxattr+0xbd/0x130
 do_syscall_64+0x139/0x560

While we're at it we add an assert to the other put_listent to avoid
this sort of thing ever happening to the attrlist_by_handle code.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-02-14 09:36:52 -08:00
..
libxfs xfs: add magic numbers to dquot buffer ops 2019-02-11 16:07:01 -08:00
scrub xfs: use buf ops magic to detect btree block type 2019-02-11 16:07:01 -08:00
Kconfig xfs: implement the metadata repair ioctl flag 2018-05-15 18:12:50 -07:00
kmem.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
kmem.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
Makefile xfs: move the repair extent list into its own file 2018-07-29 22:37:09 -07:00
mrlock.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_acl.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_acl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_aops.c xfs: remove superfluous writeback mapping eof trimming 2019-02-11 16:07:01 -08:00
xfs_aops.h xfs: fix symbolic enum printing in ftrace output 2018-12-19 14:02:01 -08:00
xfs_attr_inactive.c xfs: remove all boilerplate defer init/finish code 2018-07-26 10:15:15 -07:00
xfs_attr_list.c xfs: don't overflow xattr listent buffer 2019-02-14 09:36:52 -08:00
xfs_bmap_item.c xfs: pass transaction to xfs_defer_add() 2018-08-02 23:05:14 -07:00
xfs_bmap_item.h xfs: use transaction for intent recovery instead of raw dfops 2018-08-02 23:05:13 -07:00
xfs_bmap_util.c xfs: fix PAGE_MASK usage in xfs_free_file_space 2018-12-04 08:50:49 -08:00
xfs_bmap_util.h xfs: flush removing page cache in xfs_reflink_remap_prep 2018-11-21 10:10:53 -08:00
xfs_buf_item.c xfs: fix transient reference count error in xfs_buf_resubmit_failed_buffers 2018-11-20 10:36:01 -08:00
xfs_buf_item.h xfs: refactor xfs_buf_log_item reference count handling 2018-09-29 13:45:26 +10:00
xfs_buf.c xfs: distinguish between inobt and finobt magic values 2019-02-11 16:07:01 -08:00
xfs_buf.h xfs: distinguish between inobt and finobt magic values 2019-02-11 16:07:01 -08:00
xfs_dir2_readdir.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_discard.c xfs: trivial xfs_btree_del_cursor cleanups 2018-07-23 09:08:00 -07:00
xfs_discard.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfs_dquot_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_dquot_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_dquot.c xfs: remove dead error handling code in xfs_dquot_disk_alloc() 2018-08-07 10:57:13 -07:00
xfs_dquot.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_error.c xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_error.h xfs: Introduce XFS_PTAG_VERIFIER_ERROR panic mask 2019-02-11 16:07:00 -08:00
xfs_export.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_export.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extent_busy.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extent_busy.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extfree_item.c xfs: remove xfs_rmap_ag_owner and friends 2018-12-12 08:47:16 -08:00
xfs_extfree_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_file.c xfs: make xfs_file_remap_range() static 2018-11-19 13:30:38 -08:00
xfs_filestream.c xfs: replace dop_low with transaction flag 2018-08-02 23:05:13 -07:00
xfs_filestream.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_fsmap.c xfs: trivial xfs_btree_del_cursor cleanups 2018-07-23 09:08:00 -07:00
xfs_fsmap.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_fsops.c xfs: xfs_fsops: drop useless LIST_HEAD 2018-12-29 10:47:58 -08:00
xfs_fsops.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_globals.c xfs: Introduce XFS_PTAG_VERIFIER_ERROR panic mask 2019-02-11 16:07:00 -08:00
xfs_icache.c xfs: introduce a new xfs_inode_has_cow_data helper 2018-07-30 07:57:48 -07:00
xfs_icache.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_icreate_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_icreate_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_inode_item.c xfs: remove if_real_bytes 2018-07-30 07:57:48 -07:00
xfs_inode_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_inode.c xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_inode.h xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_ioctl.c xfs: Fix error code in 'xfs_ioc_getbmap()' 2018-11-06 07:50:50 -08:00
xfs_ioctl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_ioctl32.c xfs: Fix x32 ioctls when cmd numbers differ from ia32. 2018-12-18 10:55:21 -08:00
xfs_ioctl32.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_iomap.c xfs: use the latest extent at writeback delalloc conversion time 2019-02-11 16:07:01 -08:00
xfs_iomap.h xfs: avoid COW fork extent lookups in writeback if the fork didn't change 2018-07-31 13:18:09 -07:00
xfs_iops.c xfs: don't crash the vfs on a garbage inline symlink 2018-09-29 13:40:40 +10:00
xfs_iops.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_itable.c xfs: precalculate inodes and blocks per inode cluster 2018-12-12 08:47:17 -08:00
xfs_itable.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_linux.h xfs: replace do_mod with native operations 2018-06-08 10:07:52 -07:00
xfs_log_cil.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_log_priv.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_log_recover.c xfs: add inode magic to inode verifier 2019-02-11 16:07:01 -08:00
xfs_log.c xfs: fix a comment in xfs_log_reserve 2018-08-03 08:17:54 -07:00
xfs_log.h xfs: refactor log recovery check 2018-08-01 07:40:48 -07:00
xfs_message.c xfs: print buffer offsets when dumping corrupt buffers 2018-11-06 07:50:50 -08:00
xfs_message.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfs_mount.c xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_mount.h xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_mru_cache.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_mru_cache.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_ondisk.h xfs: compile time offset checks for common v4/v5 metadata 2019-02-11 16:07:01 -08:00
xfs_pnfs.c xfs: prepare xfs_break_layouts() for another layout type 2018-05-22 07:19:08 -07:00
xfs_pnfs.h xfs: prepare xfs_break_layouts() for another layout type 2018-05-22 07:19:08 -07:00
xfs_qm_bhv.c fs/xfs: fix f_ffree value for statfs when project quota is set 2018-11-26 15:01:37 -08:00
xfs_qm_syscalls.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_qm.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_qm.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_quota.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_quotaops.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_refcount_item.c xfs: pass transaction to xfs_defer_add() 2018-08-02 23:05:14 -07:00
xfs_refcount_item.h xfs: use transaction for intent recovery instead of raw dfops 2018-08-02 23:05:13 -07:00
xfs_reflink.c xfs: split up the xfs_reflink_end_cow work into smaller transactions 2018-12-12 08:46:19 -08:00
xfs_reflink.h vfs: rework data cloning infrastructure 2018-11-02 09:33:08 -07:00
xfs_rmap_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_rmap_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_rtalloc.c xfs: reallocate realtime summary cache on growfs 2018-12-21 18:45:18 -08:00
xfs_rtalloc.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_stats.c xfs: use offsetof() in place of offset macros for __xfsstats 2018-10-18 17:21:39 +11:00
xfs_stats.h xfs: use offsetof() in place of offset macros for __xfsstats 2018-10-18 17:21:39 +11:00
xfs_super.c xfs: add a block to inode count converter 2018-12-12 08:47:16 -08:00
xfs_super.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_symlink.c xfs: zero length symlinks are not valid 2018-12-12 08:47:15 -08:00
xfs_symlink.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysctl.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysctl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysfs.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysfs.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trace.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trace.h xfs: cache unlinked pointers in an rhashtable 2019-02-11 16:07:01 -08:00
xfs_trans_ail.c xfs: clear ail delwri queued bufs on unmount of shutdown fs 2018-10-18 17:21:49 +11:00
xfs_trans_bmap.c xfs: remove duplicated xfs_defer.h 2019-02-11 16:07:00 -08:00
xfs_trans_buf.c xfs: clarify documentation for the function to reverify buffers 2019-02-11 16:07:01 -08:00
xfs_trans_dquot.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trans_extfree.c xfs: remove duplicated xfs_defer.h 2019-02-11 16:07:00 -08:00
xfs_trans_inode.c vfs/y2038: inode timestamps conversion to timespec64 2018-06-15 07:31:07 +09:00
xfs_trans_priv.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trans_refcount.c xfs: remove duplicated xfs_defer.h 2019-02-11 16:07:00 -08:00
xfs_trans_rmap.c xfs: remove duplicated xfs_defer.h 2019-02-11 16:07:00 -08:00
xfs_trans.c xfs: avoid lockdep false positives in xfs_trans_alloc 2018-09-29 13:46:21 +10:00
xfs_trans.h xfs: const-ify xfs_owner_info arguments 2018-12-12 08:47:16 -08:00
xfs_xattr.c xfs: don't overflow xattr listent buffer 2019-02-14 09:36:52 -08:00
xfs.h xfs: remove b_last_holder & associated macros 2018-08-12 08:37:31 -07:00