Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNeilBrown <neilb@suse.com>2018-11-01 14:04:41 +1100
committerNeilBrown <neilb@suse.com>2018-11-01 14:05:53 +1100
commitb5c10ec2c7aeb10717a908d55c139206a28517ba (patch)
tree690cf96e7a748b545921a88f101348439fad9f4c
parent5a4280cd2230ea0265839de0cc9ca2924a234078 (diff)
autofs: fix slab out of bounds read in getname_kernel()
(git-fixes).
-rw-r--r--patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch82
-rw-r--r--series.conf1
2 files changed, 83 insertions, 0 deletions
diff --git a/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch b/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
new file mode 100644
index 0000000000..a61bf32f1a
--- /dev/null
+++ b/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
@@ -0,0 +1,82 @@
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Fri, 13 Jul 2018 16:58:59 -0700
+Subject: [PATCH] autofs: fix slab out of bounds read in getname_kernel()
+Git-commit: 02f51d45937f7bc7f4dee21e9f85b2d5eac37104
+Patch-mainline: v4.18
+References: git-fixes
+
+The autofs subsystem does not check that the "path" parameter is present
+for all cases where it is required when it is passed in via the "param"
+struct.
+
+In particular it isn't checked for the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD
+ioctl command.
+
+To solve it, modify validate_dev_ioctl(function to check that a path has
+been provided for ioctl commands that require it.
+
+Link: http://lkml.kernel.org/r/153060031527.26631.18306637892746301555.stgit@pluto.themaw.net
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reported-by: syzbot+60c837b428dc84e83a93@syzkaller.appspotmail.com
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/autofs4/dev-ioctl.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/fs/autofs4/dev-ioctl.c
++++ b/fs/autofs4/dev-ioctl.c
+@@ -148,6 +148,15 @@ static int validate_dev_ioctl(int cmd, s
+ cmd);
+ goto out;
+ }
++ } else {
++ unsigned int inr = _IOC_NR(cmd);
++
++ if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
++ inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
++ inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
++ err = -EINVAL;
++ goto out;
++ }
+ }
+
+ err = 0;
+@@ -289,7 +298,8 @@ static int autofs_dev_ioctl_openmount(st
+ dev_t devid;
+ int err, fd;
+
+- /* param->path has already been checked */
++ /* param->path has been checked in validate_dev_ioctl() */
++
+ if (!param->openmount.devid)
+ return -EINVAL;
+
+@@ -451,10 +461,7 @@ static int autofs_dev_ioctl_requester(st
+ dev_t devid;
+ int err = -ENOENT;
+
+- if (param->size <= sizeof(*param)) {
+- err = -EINVAL;
+- goto out;
+- }
++ /* param->path has been checked in validate_dev_ioctl() */
+
+ devid = sbi->sb->s_dev;
+
+@@ -539,10 +546,7 @@ static int autofs_dev_ioctl_ismountpoint
+ unsigned int devid, magic;
+ int err = -ENOENT;
+
+- if (param->size <= sizeof(*param)) {
+- err = -EINVAL;
+- goto out;
+- }
++ /* param->path has been checked in validate_dev_ioctl() */
+
+ name = param->path;
+ type = param->ismountpoint.in.type;
diff --git a/series.conf b/series.conf
index eaa6215c84..b0dd3a60e1 100644
--- a/series.conf
+++ b/series.conf
@@ -16944,6 +16944,7 @@
patches.drivers/IB-hfi1-Fix-incorrect-mixing-of-ERR_PTR-and-NULL-ret.patch
patches.drivers/RDMA-mlx5-Fix-memory-leak-in-mlx5_ib_create_srq-erro.patch
patches.drivers/i2c-tegra-Fix-NACK-error-handling
+ patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
patches.fixes/reiserfs-fix-buffer-overflow-with-long-warning-messa.patch
patches.arch/ARM-pxa-irq-fix-handling-of-ICMR-registers-in-suspen.patch
patches.arch/ARM-DRA7-OMAP5-Enable-ACTLR-0-Enable-invalidates-of-.patch