[PATCH] fs: romfs: Fix potential uninitialized memory leak

From: Fullway Wang
Date: Thu Jan 18 2024 - 02:14:38 EST

Next message: Chris Li: "Re: [PATCH 0/2] RFC: zswap tree use xarray instead of RB tree"
Previous message: Taehee Yoo: "Re: [PATCH net] ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work"
Next in thread: Christian Brauner: "Re: [PATCH] fs: romfs: Fix potential uninitialized memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

romfs_dev_read() fetches a caller-supplied number of bytes from the
backing device in an all-or-nothing manner.

Commit bcf85fc fixed CVE-2020-29371, which exposed the bug when
the requested length crossed the filesystem size limit, the number
of bytes to requested was truncated. However, in romfs_readdir()
in super.c, the requested number is firstly truncated with
romfs_dev_strnlen() then passed to romfs_dev_read(), leaving
the bug exploitable still.

Fix this by returning an error code instead of changing the length
in romfs_dev_strnlen() when the read might go beyond the end of
the filesystem.

Signed-off-by: Fullway Wang <fullwaywang@xxxxxxxxxxx>
---
fs/romfs/storage.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c
index b57b3ffcbc32..e0e4ecca4e65 100644
--- a/fs/romfs/storage.c
+++ b/fs/romfs/storage.c
@@ -240,10 +240,8 @@ ssize_t romfs_dev_strnlen(struct super_block *sb,
size_t limit;

limit = romfs_maxsize(sb);
- if (pos >= limit)
+ if (pos >= limit || buflen > limit - pos)
return -EIO;
- if (maxlen > limit - pos)
- maxlen = limit - pos;

#ifdef CONFIG_ROMFS_ON_MTD
if (sb->s_mtd)
--
2.39.3 (Apple Git-145)

Next message: Chris Li: "Re: [PATCH 0/2] RFC: zswap tree use xarray instead of RB tree"
Previous message: Taehee Yoo: "Re: [PATCH net] ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work"
Next in thread: Christian Brauner: "Re: [PATCH] fs: romfs: Fix potential uninitialized memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]