raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-28 21:13:06 +00:00
Code Issues Projects Releases Wiki Activity
Files
cb290ead07f237a237edbf3f4e9840baf65358eb
linux/fs
History
Jann Horn c3139458db reiserfs: fix broken xattr handling (heap corruption, bad retval) 
commit a13f085d11 upstream.

This fixes the following issues:

- When a buffer size is supplied to reiserfs_listxattr() such that each
  individual name fits, but the concatenation of all names doesn't fit,
  reiserfs_listxattr() overflows the supplied buffer.  This leads to a
  kernel heap overflow (verified using KASAN) followed by an out-of-bounds
  usercopy and is therefore a security bug.

- When a buffer size is supplied to reiserfs_listxattr() such that a
  name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
  truncates the list of names; I have verified that if the only xattr on a
  file has a longer name than the supplied buffer length, listxattr()
  incorrectly returns zero.

With my patch applied, -ERANGE is returned in both cases and the memory
corruption doesn't happen anymore.

Credit for making me clean this code up a bit goes to Al Viro, who pointed
out that the ->actor calling convention is suboptimal and should be
changed.

Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
Fixes: 48b32a3553 ("reiserfs: use generic xattr handlers")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-24 13:07:17 +02:00
..
9p
Merge tag 'fscache-next-20180406' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2018-04-07 09:08:24 -07:00
adfs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
affs
affs_lookup: switch to d_splice_alias()
2018-05-21 14:29:12 -04:00
afs
afs: Fix mounting of backup volumes
2018-05-16 21:35:23 +01:00
autofs4
autofs: fix slab out of bounds read in getname_kernel()
2018-07-22 15:16:06 +02:00
befs
befs_lookup(): use d_splice_alias()
2018-05-21 14:30:07 -04:00
bfs
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
btrfs
btrfs: scrub: Don't use inode page cache in scrub_handle_errored_block()
2018-08-24 13:07:11 +02:00
cachefiles
cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed
2018-05-21 14:30:10 -04:00
ceph
ceph: fix dentry leak in splice_dentry()
2018-08-24 13:06:51 +02:00
cifs
smb3: increase initial number of credits requested to allow write
2018-08-24 13:06:38 +02:00
coda
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
configfs
configfs: make ci_type field, some pointers and function arguments const
2017-10-19 16:15:16 +02:00
cramfs
cramfs: Fix IS_ENABLED typo
2018-05-21 14:30:08 -04:00
crypto
fscrypt: use unbound workqueue for decryption
2018-08-03 07:47:47 +02:00
debugfs
debugfs_lookup(): switch to lookup_one_len_unlocked()
2018-03-29 15:07:47 -04:00
devpts
devpts: comment devpts_mntget()
2018-03-14 13:31:23 +01:00
dlm
net: make getname() functions return length rather than use int* parameter
2018-02-12 14:15:04 -05:00
ecryptfs
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-05-21 11:54:57 -07:00
efivarfs
efivarfs: Limit the rate for non-root to read files
2018-02-22 10:21:02 -08:00
efs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
exofs
Merge tag 'iversion-v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
2018-02-07 14:25:22 -08:00
exportfs
ovl: do not try to reconnect a disconnected origin dentry
2018-04-12 12:04:49 +02:00
ext2
dax: change bdev_dax_supported() to support boolean returns
2018-07-11 16:31:33 +02:00
ext4
ext4: fix spectre gadget in ext4_mb_regular_allocator()
2018-08-24 13:07:15 +02:00
f2fs
f2fs: check cap_resource only for data blocks
2018-08-03 07:47:56 +02:00
fat
fat: fix memory allocation failure handling of match_strdup()
2018-07-25 11:26:07 +02:00
freevxfs
vxfs: Define usercopy region in vxfs_inode slab cache
2018-01-15 12:07:57 -08:00
fscache
fscache: use appropriate radix tree accessors
2018-04-11 10:28:39 -07:00
fuse
fuse: fix control dir setup and teardown
2018-07-03 11:26:50 +02:00
gfs2
GFS2: Minor improvements to comments and documentation
2018-04-12 10:07:51 -07:00
hfs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
hfsplus
hfsplus: stop workqueue when fill_super() failed
2018-05-18 17:17:12 -07:00
hostfs
hostfs: rename do_rmdir() to hostfs_do_rmdir()
2018-04-02 20:15:53 +02:00
hpfs
hpfs: don't bother with the i_version counter or f_version
2017-12-10 12:58:18 -08:00
hugetlbfs
hugetlbfs: fix bug in pgoff overflow checking
2018-04-05 21:36:21 -07:00
isofs
isofs: fix potential memory leak in mount option parsing
2018-04-16 09:47:41 +02:00
jbd2
jbd2: don't mark block as modified if the handle is out of credits
2018-07-11 16:31:28 +02:00
jffs2
do d_instantiate/unlock_new_inode combinations safely
2018-05-11 15:36:37 -04:00
jfs
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
2018-08-09 12:15:13 +02:00
kernfs
kernfs: deal with kernfs_fill_super() failures
2018-05-21 14:30:08 -04:00
lockd
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
minix
treewide: simplify Kconfig dependencies for removed archs
2018-03-26 15:55:57 +02:00
nfs
pNFS: Always free the session slot on error in nfs4_layoutget_handle_exception
2018-08-24 13:06:43 +02:00
nfs_common
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfsd
nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
2018-08-03 07:47:34 +02:00
nilfs2
do d_instantiate/unlock_new_inode combinations safely
2018-05-11 15:36:37 -04:00
nls
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
notify
fsnotify: fix ignore mask logic in send_to_group()
2018-04-13 15:52:49 +02:00
ntfs
ntfs: fix bogus __mark_inode_dirty(I_DIRTY_SYNC | I_DIRTY_DATASYNC) call
2018-03-28 01:39:02 -04:00
ocfs2
ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio"
2018-05-25 18:12:10 -07:00
omfs
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
openpromfs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
orangefs
orangefs: report attributes_mask and attributes for statx
2018-06-26 07:51:31 +08:00
overlayfs
ovl: add support for "xino" mount and config options
2018-04-12 12:04:50 +02:00
proc
mm, powerpc, x86: define VM_PKEY_BITx bits if CONFIG_ARCH_HAS_PKEYS is enabled
2018-08-03 07:47:54 +02:00
pstore
pstore: fix crypto dependencies without compression
2018-04-06 15:45:33 -07:00
qnx4
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
qnx6
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
quota
fs: quota: Replace GFP_ATOMIC with GFP_KERNEL in dquot_init
2018-04-09 17:48:54 +02:00
ramfs
reiserfs
reiserfs: fix broken xattr handling (heap corruption, bad retval)
2018-08-24 13:07:17 +02:00
romfs
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
squashfs
squashfs: more metadata hardenings
2018-08-06 16:18:19 +02:00
sysfs
unfuck sysfs_mount()
2018-05-21 14:30:09 -04:00
sysv
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
tracefs
ubifs
UBIFS: Fix potential integer overflow in allocation
2018-07-03 11:27:03 +02:00
udf
udf: Detect incorrect directory size
2018-07-03 11:27:09 +02:00
ufs
do d_instantiate/unlock_new_inode combinations safely
2018-05-11 15:36:37 -04:00
xfs
xfs: validate cached inodes are free when allocated
2018-08-09 12:15:12 +02:00
aio.c
fix io_destroy()/aio_complete() race
2018-05-23 22:53:22 -04:00
anon_inodes.c
attr.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
bad_inode.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
binfmt_aout.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_elf_fdpic.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_elf.c
fs, elf: make sure to page align bss in load_elf_library
2018-07-17 11:48:29 +02:00
binfmt_em86.c
binfmt_flat.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_misc.c
fs/binfmt_misc.c: do not allow offset overflow
2018-06-26 07:51:32 +08:00
binfmt_script.c
block_dev.c
blkdev: __blkdev_direct_IO_simple: fix leak in error case
2018-08-03 07:48:02 +02:00
buffer.c
Merge branch 'work.thaw' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-04-12 12:28:32 -07:00
char_dev.c
block, char_dev: Use correct format specifier for unsigned ints
2018-03-15 17:59:24 +01:00
compat_binfmt_elf.c
compat_ioctl.c
fs: compat_ioctl: add new DVB demux ioctls
2017-12-28 11:17:29 -05:00
compat.c
coredump.c
Merge branch 'misc.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-11-17 11:54:55 -08:00
d_path.c
split d_path() and friends into a separate file
2018-03-29 15:07:46 -04:00
dax.c
page cache: use xa_lock
2018-04-11 10:28:39 -07:00
dcache.c
make sure that __dentry_kill() always invalidates d_seq, unhashed or not
2018-08-15 18:10:58 +02:00
dcookies.c
fs: add do_lookup_dcookie() helper; remove in-kernel call to syscall
2018-04-02 20:15:39 +02:00
direct-io.c
Merge branch 'akpm' (patches from Andrew)
2018-04-06 14:19:26 -07:00
drop_caches.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
eventfd.c
fs: add do_eventfd() helper; remove internal call to sys_eventfd()
2018-04-02 20:15:39 +02:00
eventpoll.c
fs: add do_epoll_*() helpers; remove internal calls to sys_epoll_*()
2018-04-02 20:15:37 +02:00
exec.c
mm: make vm_area_alloc() initialize core fields
2018-08-24 13:07:14 +02:00
fcntl.c
fs: add do_compat_fcntl64() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:42 +02:00
fhandle.c
vfs: Copy struct mount.mnt_id to userspace using put_user()
2018-01-15 12:07:51 -08:00
file_table.c
vfs: remove unused hardirq.h
2017-12-07 14:23:30 -05:00
file.c
fs: add ksys_close() wrapper; remove in-kernel calls to sys_close()
2018-04-02 20:16:00 +02:00
filesystems.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fs_pin.c
Merge branch 'linus' into locking/core, to resolve conflicts
2017-11-07 10:32:44 +01:00
fs_struct.c
fs-writeback.c
bdi: Fix oops in wb_workfn()
2018-05-03 16:11:37 -06:00
inode.c
Fix up non-directory creation in SGID directories
2018-07-17 11:48:28 +02:00
internal.h
drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open()
2018-07-25 11:26:13 +02:00
ioctl.c
fs: add ksys_ioctl() helper; remove in-kernel calls to sys_ioctl()
2018-04-02 20:16:03 +02:00
iomap.c
iomap: warn on zero-length mappings
2018-01-29 07:27:24 -08:00
Kconfig
Merge tag 'libnvdimm-for-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
2018-02-06 10:41:33 -08:00
Kconfig.binfmt
treewide: simplify Kconfig dependencies for removed archs
2018-03-26 15:55:57 +02:00
libfs.c
fs, dax: prepare for dax-specific address_space_operations
2018-03-30 11:34:55 -07:00
locks.c
treewide: Align function definition open/close braces
2018-03-26 11:13:09 +02:00
Makefile
split d_path() and friends into a separate file
2018-03-29 15:07:46 -04:00
mbcache.c
mbcache: make sure c_entry_count is not decremented past zero
2018-01-09 23:57:52 -05:00
mount.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mpage.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
namei.c
Revert "fs: fold open_check_o_direct into do_dentry_open"
2018-06-03 10:58:23 -07:00
namespace.c
fix __legitimize_mnt()/mntput() race
2018-08-15 18:10:58 +02:00
no-block.c
nsfs.c
net: Export open_related_ns()
2018-02-15 15:34:42 -05:00
open.c
Revert "fs: fold open_check_o_direct into do_dentry_open"
2018-06-03 10:58:23 -07:00
pipe.c
fs: add do_pipe2() helper; remove internal call to sys_pipe2()
2018-04-02 20:15:35 +02:00
pnode.c
pnode.h
posix_acl.c
posix_acl: convert posix_acl.a_refcount from atomic_t to refcount_t
2018-01-02 19:27:28 -08:00
proc_namespace.c
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
read_write.c
fs: add ksys_p{read,write}64() helpers; remove in-kernel calls to syscalls
2018-04-02 20:16:09 +02:00
readdir.c
fs: add ksys_getdents64() helper; remove in-kernel calls to sys_getdents64()
2018-04-02 20:16:02 +02:00
select.c
fs: add do_compat_select() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:42 +02:00
seq_file.c
proc: fix smaps and meminfo alignment
2018-05-25 18:12:11 -07:00
signalfd.c
fs: add do_compat_signalfd4() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:43 +02:00
splice.c
fs: add do_vmsplice() helper; remove in-kernel call to syscall
2018-04-02 20:15:40 +02:00
stack.c
stat.c
fs: add do_readlinkat() helper; remove internal call to sys_readlinkat()
2018-04-02 20:15:34 +02:00
statfs.c
Rename superblock flags (MS_xyz -> SB_xyz)
2017-11-27 13:05:09 -08:00
super.c
fs: don't scan the inode cache before SB_BORN is set
2018-05-11 15:37:57 -04:00
sync.c
Merge tag 'xfs-4.17-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
2018-04-04 12:44:02 -07:00
timerfd.c
vfs: do bulk POLL* -> EPOLL* replacement
2018-02-11 14:34:03 -08:00
userfaultfd.c
userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
2018-08-06 16:18:21 +02:00
utimes.c
fs: add do_compat_futimesat() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:44 +02:00
xattr.c