Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2517791imm; Mon, 28 May 2018 09:35:05 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoZJ0rZuS5BWqF8xrWRr8f7/lsLQOo2FB1DB+bH2cMRVZtdGRq1RTKAs6lyFsVjOsEH/10p X-Received: by 2002:a63:6b84:: with SMTP id g126-v6mr9713677pgc.272.1527525305061; Mon, 28 May 2018 09:35:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527525305; cv=none; d=google.com; s=arc-20160816; b=PAzPRSgV0ntf6Ru/H5vAN+cCy6liQZCNZFkZvU96ptHnx3kFI1Xo33KXV2U3xcvEAx QyS84I5PCh/+3hxxKtKp/edx+Ur/Hs2oPIy7jHLs9sQtwCtgJ1ljERtr21SDpdi1Y10P v56dLZzJB95Berz71fZRL22Ets6SkyoaSYqGedCYG25loCc4oCFHnjyfw6IVZatpUdoq XEEyU80h8vIxcrGwZ5DzBCdhCUlNHJn+Q2o+mBhod/gZZt5WXpYEw6EjqljkMesVhyhQ +h37vDzABkHdm6iwqd1Uaru4Tvs/DYv1kD4Ml/a0lnM+LCMU37FbTQD24JRUDGj+1sdQ LWfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=oyfer5SenOb+TUcyMpm36KISYCQV79bkichRSOgI0UU=; b=Q4beFW8TFS6lquuODF6jDa3bI9kc0UmEPI2Imnd7lx4fXIIIOdTJ3ORHynITvOmaT3 v1/LTJzVtzwEt1It+EIks3vazShaQ162hoOIw8JnAO6Q7R6rODfgJm21khKCVQyCRqxw Wi75lqeHwUB0NWq1FzxWDrBCDR40angD1HJJhfPOqiHrDtrIZPORmDj/3Pe9mJbAGCeB H5zrgFKNhuodbHycycVa89wZqAQkJ+keRBS6C+VZRNpFcdNr+/ALlQ/XV3UNE4yJ2l7C Ye3HRKy7jx3P+ziEfkrZecWYlzyOHwIXdySxxpCAsn1IC2+kpzfti22WbZ5DgaX1eaA/ S5Qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A9YKtiiQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5-v6si30157888pfb.314.2018.05.28.09.34.50; Mon, 28 May 2018 09:35:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A9YKtiiQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934913AbeE1KIs (ORCPT + 99 others); Mon, 28 May 2018 06:08:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:56750 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934804AbeE1KIl (ORCPT ); Mon, 28 May 2018 06:08:41 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 32409206B7; Mon, 28 May 2018 10:08:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502120; bh=drJfSVlwrc4d6np+fnsVu8fnwXbkM+bPHovnF18bcB4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A9YKtiiQ79y9wwsWeGWAqfRHgay0AOjJB3040SPGI04HjfLGmdYq9m5jtF/1+54Cf SZa6arnuaMhFPhLd7zmGZ0gIxpYZc5XMra+yKtf3G9veOFd+pC383YEYDV2VZCe5pY /q7z6GgQ4ab+NqSz6kDl8zaaYbzUiRyt2CR7/V0A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Dobriyan , Pavel Emelyanov , Andrei Vagin , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 3.18 039/185] proc: fix /proc/*/map_files lookup Date: Mon, 28 May 2018 12:01:20 +0200 Message-Id: <20180528100054.088559083@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100050.700971285@linuxfoundation.org> References: <20180528100050.700971285@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It silently accepts valid strings which result in integer overflow. Do not use sscanf() for any even remotely reliable parsing code. OK # readlink '/proc/1/map_files/55a23af39000-55a23b05b000' /lib/systemd/systemd broken # readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000' /lib/systemd/systemd broken # readlink '/proc/1/map_files/55a23af39000-55a23b05b000 ' /lib/systemd/systemd very broken # readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000' /lib/systemd/systemd Andrei said: : This patch breaks criu. It was a bug in criu. And this bug is on a minor : path, which works when memfd_create() isn't available. It is a reason why : I ask to not backport this patch to stable kernels. : : In CRIU this bug can be triggered, only if this patch will be backported : to a kernel which version is lower than v3.16. Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2 Signed-off-by: Alexey Dobriyan Cc: Pavel Emelyanov Cc: Andrei Vagin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/proc/base.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -94,6 +94,8 @@ #include "internal.h" #include "fd.h" +#include "../../lib/kstrtox.h" + /* NOTE: * Implementing inode permission operations in /proc is almost * certainly an error. Permission checks need to happen during @@ -1642,8 +1644,33 @@ end_instantiate: static int dname_to_vma_addr(struct dentry *dentry, unsigned long *start, unsigned long *end) { - if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) + const char *str = dentry->d_name.name; + unsigned long long sval, eval; + unsigned int len; + + len = _parse_integer(str, 16, &sval); + if (len & KSTRTOX_OVERFLOW) + return -EINVAL; + if (sval != (unsigned long)sval) return -EINVAL; + str += len; + + if (*str != '-') + return -EINVAL; + str++; + + len = _parse_integer(str, 16, &eval); + if (len & KSTRTOX_OVERFLOW) + return -EINVAL; + if (eval != (unsigned long)eval) + return -EINVAL; + str += len; + + if (*str != '\0') + return -EINVAL; + + *start = sval; + *end = eval; return 0; }