| Message ID | 20170711140421.31205-1-chandan@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tuesday, July 11, 2017 7:34:21 PM IST Chandan Rajendra wrote: > On ppc64, When a non-nul terminated string is passed as an argument to > the mount(2) syscall, copy_mount_string() ends up allocating 64k (the > PAGE_SIZE on ppc64) worth of space for holding the string in kernel's > address space. > > Later, in set_precision() (invoked indirectly by get_fs_type()), we end > up assigning 65535 as the value to 'struct printf_spec'->precision > member. This field has a width of 16 bits and also it is signed data > type. Hence an invalid value ends up getting assigned. This causes the > "WARN_ONCE(spec->precision != prec, "precision %d too large", prec)" > statement inside set_precision() to be executed. > > This commit fixes the bug by validating the length of the "filesystem > type" argument passed to get_fs_type() function. > > Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> > Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com> > Suggested-by: Joe Perches <joe@perches.com> > --- > Changelog: > v1->v2: Fix commit message. > > fs/filesystems.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/filesystems.c b/fs/filesystems.c > index a920ad2..8e309d3 100644 > --- a/fs/filesystems.c > +++ b/fs/filesystems.c > @@ -275,6 +275,9 @@ struct file_system_type *get_fs_type(const char *name) > const char *dot = strchr(name, '.'); > int len = dot ? dot - name : strlen(name); > > + if (len >= PATH_MAX) > + return NULL; > + > fs = __get_fs_type(name, len); > if (!fs && (request_module("fs-%.*s", len, name) == 0)) { > fs = __get_fs_type(name, len); > Hi Al Viro, Can you please let me know if you have any review comments about this patch.
diff --git a/fs/filesystems.c b/fs/filesystems.c index a920ad2..8e309d3 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -275,6 +275,9 @@ struct file_system_type *get_fs_type(const char *name) const char *dot = strchr(name, '.'); int len = dot ? dot - name : strlen(name); + if (len >= PATH_MAX) + return NULL; + fs = __get_fs_type(name, len); if (!fs && (request_module("fs-%.*s", len, name) == 0)) { fs = __get_fs_type(name, len);
On ppc64, When a non-nul terminated string is passed as an argument to the mount(2) syscall, copy_mount_string() ends up allocating 64k (the PAGE_SIZE on ppc64) worth of space for holding the string in kernel's address space. Later, in set_precision() (invoked indirectly by get_fs_type()), we end up assigning 65535 as the value to 'struct printf_spec'->precision member. This field has a width of 16 bits and also it is signed data type. Hence an invalid value ends up getting assigned. This causes the "WARN_ONCE(spec->precision != prec, "precision %d too large", prec)" statement inside set_precision() to be executed. This commit fixes the bug by validating the length of the "filesystem type" argument passed to get_fs_type() function. Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com> Suggested-by: Joe Perches <joe@perches.com> --- Changelog: v1->v2: Fix commit message. fs/filesystems.c | 3 +++ 1 file changed, 3 insertions(+)