linux/fs/fscache
Eric Sandeen fa520c47ea fscache: Fix out of bound read in long cookie keys
fscache_set_key() can incur an out-of-bounds read, reported by KASAN:

 BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
 Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615

and also reported by syzbot at https://lkml.org/lkml/2018/7/8/236

  BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
  BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
  Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466

This happens for any index_key_len which is not divisible by 4 and is
larger than the size of the inline key, because the code allocates exactly
index_key_len for the key buffer, but the hashing loop is stepping through
it 4 bytes (u32) at a time in the buf[] array.

Fix this by calculating how many u32 buffers we'll need by using
DIV_ROUND_UP, and then using kcalloc() to allocate a precleared allocation
buffer to hold the index_key, then using that same count as the hashing
index limit.

Fixes: ec0328e46d ("fscache: Maintain a catalogue of allocated cookies")
Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-18 11:32:21 +02:00
..
cache.c fscache: Fix reference overput in fscache_attach_object() error handling 2018-07-25 14:49:00 +01:00
cookie.c fscache: Fix out of bound read in long cookie keys 2018-10-18 11:32:21 +02:00
fsdef.c fscache: Pass object size in rather than calling back for it 2018-04-06 14:05:14 +01:00
histogram.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
internal.h fscache: Fix incomplete initialisation of inline key space 2018-10-18 11:32:21 +02:00
Kconfig fscache: drop references to slow-work 2010-07-22 22:58:58 +02:00
main.c fscache: Fix incomplete initialisation of inline key space 2018-10-18 11:32:21 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netfs.c fscache: Maintain a catalogue of allocated cookies 2018-04-06 14:05:14 +01:00
object-list.c fscache: Attach the index key and aux data to the cookie 2018-04-04 13:41:28 +01:00
object.c fscache: Fix reference overput in fscache_attach_object() error handling 2018-07-25 14:49:00 +01:00
operation.c fscache: Allow cancelled operations to be enqueued 2018-07-25 14:31:20 +01:00
page.c fscache: Pass object size in rather than calling back for it 2018-04-06 14:05:14 +01:00
proc.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
stats.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00