diff options
| author | Amir Goldstein <amir73il@gmail.com> | 2020-05-23 16:21:55 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-06-17 16:42:02 +0200 |
| commit | f0fd6069899572ac2aea7b4ef3406eec5056b99c (patch) | |
| tree | 9b243a2b907bbcb1615259ccc1a31221e722c0b6 | |
| parent | dd7eb4c0e0e91e3d818f39ce6170d719569746c1 (diff) | |
| download | linux-f0fd6069899572ac2aea7b4ef3406eec5056b99c.tar.gz linux-f0fd6069899572ac2aea7b4ef3406eec5056b99c.zip | |
ovl: fix out of bounds access warning in ovl_check_fb_len()
commit 522f6e6cba6880a038e2bd88e10390b84cd3febd upstream.
syzbot reported out of bounds memory access from open_by_handle_at()
with a crafted file handle that looks like this:
{ .handle_bytes = 2, .handle_type = OVL_FILEID_V1 }
handle_bytes gets rounded down to 0 and we end up calling:
ovl_check_fh_len(fh, 0) => ovl_check_fb_len(fh + 3, -3)
But fh buffer is only 2 bytes long, so accessing struct ovl_fb at
fh + 3 is illegal.
Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory")
Reported-and-tested-by: syzbot+61958888b1c60361a791@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v5.5
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/overlayfs/overlayfs.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index 3d3f2b8bdae5..c2424330209a 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -339,6 +339,9 @@ int ovl_check_fb_len(struct ovl_fb *fb, int fb_len); static inline int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) { + if (fh_len < sizeof(struct ovl_fh)) + return -EINVAL; + return ovl_check_fb_len(&fh->fb, fh_len - OVL_FH_WIRE_OFFSET); } |
