linux/fs/overlayfs
Amir Goldstein 522f6e6cba ovl: fix out of bounds access warning in ovl_check_fb_len()
syzbot reported out of bounds memory access from open_by_handle_at()
with a crafted file handle that looks like this:

  { .handle_bytes = 2, .handle_type = OVL_FILEID_V1 }

handle_bytes gets rounded down to 0 and we end up calling:
  ovl_check_fh_len(fh, 0) => ovl_check_fb_len(fh + 3, -3)

But fh buffer is only 2 bytes long, so accessing struct ovl_fb at
fh + 3 is illegal.

Fixes: cbe7fba8ed ("ovl: make sure that real fid is 32bit aligned in memory")
Reported-and-tested-by: syzbot+61958888b1c60361a791@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v5.5
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2020-06-02 22:20:25 +02:00
..
copy_up.c ovl: prepare to copy up without workdir 2020-05-13 11:11:24 +02:00
dir.c ovl: whiteout inode sharing 2020-05-13 11:11:24 +02:00
export.c ovl: return required buffer size for file handles 2020-05-13 11:11:24 +02:00
file.c ovl: fix lockdep warning for async write 2020-03-13 15:53:06 +01:00
inode.c ovl: clear ATTR_OPEN from attr->ia_valid 2020-04-30 11:52:07 +02:00
Kconfig ovl: fix some xino configurations 2020-03-13 15:53:06 +01:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
namei.c ovl: cleanup non-empty directories in ovl_indexdir_cleanup() 2020-05-13 11:11:24 +02:00
overlayfs.h ovl: fix out of bounds access warning in ovl_check_fb_len() 2020-06-02 22:20:25 +02:00
ovl_entry.h ovl: whiteout inode sharing 2020-05-13 11:11:24 +02:00
readdir.c ovl: whiteout inode sharing 2020-05-13 11:11:24 +02:00
super.c ovl: sync dirty data when remounting to ro mode 2020-05-13 11:11:24 +02:00
util.c ovl: whiteout inode sharing 2020-05-13 11:11:24 +02:00