Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3334999imm;
        Sun, 1 Jul 2018 18:57:20 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdnjMKVfG5PemSlCf1ZxOXIY64hmtZfxEGQvXHfsxgCfBQDlK8O+Jnh5QpWoyv2MCr1+gD9
X-Received: by 2002:a62:398c:: with SMTP id u12-v6mr8792504pfj.9.1530496640465;
        Sun, 01 Jul 2018 18:57:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530496640; cv=none;
        d=google.com; s=arc-20160816;
        b=J+keMrGGL1xX1D85q61+A3QcFVGjl2nHcBvM406y7ra/bu7vpnhevNJ8GYU5MqwWkS
         4TPt5TStvFzf0eNTqHQxkHvktM+LQh5OL+p07mIwz39SuzNJiCfojdhOrPyH9ewTP5G6
         NIeQbx1YvdWi1cysigGjEwRNDuFZmQW5R6zR8tJHM1FmEnGKf1zEuHb2AkNzpgcVF5+t
         Y+78Va/oB0JacfrPcWYHpx9pLs+TKwIGn1+CovtvU5bDcQ1cxsexUOeZp1fUbWKQ/YMF
         LfXu9qrMA+T6WGV6ty+Xk0OKiwbHINqiKCbGZ4eLTMCjvtv0BqI68vl0AhN0QA8+h//l
         DOiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature:dkim-signature:arc-authentication-results;
        bh=8YZam6lJmaF6kOuDSp1z1cynco9eKpZcmoE12zJ3WDE=;
        b=f96p1DHuTftn9m6GGU8cmVf0XvGTCz/TQZaGj/MG9X6V6EFbdQJghhgAppFZhX5n2F
         Af9c3Z0+l+CioKeo31OTCMTuoqURiOxmOzv7sRMo3JPrRvZMMMSPcEVCWyT72azExDlq
         /IkkLOIEQTSmbMav0AbVd/5KIsHUFJcl3Gj+JKci+9ZC641iTp0c7xM6OPzicS0vVH8h
         0a0e2Wl6rVuEdD4DgHobKQoVOZ7w4R2pJq5ONTe6Om3l2UeB3ehYvAP0n89vzDyqZ18c
         LGCeDdChVKHPPGCEVYFRIg8tRF65A7itZ+fRxIgRAGEDaIdgkGe5nH6/sx3OEyHk39hq
         ugdg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@themaw.net header.s=fm3 header.b=d4+mMHRu;
       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=T8YJC6NR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z11-v6si13356278pgz.264.2018.07.01.18.57.04;
        Sun, 01 Jul 2018 18:57:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@themaw.net header.s=fm3 header.b=d4+mMHRu;
       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=T8YJC6NR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932350AbeGBBKg (ORCPT <rfc822;deadfox.tw@gmail.com> + 99 others);
        Sun, 1 Jul 2018 21:10:36 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57889 "EHLO
        out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752676AbeGBBKc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Jul 2018 21:10:32 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
        by mailout.nyi.internal (Postfix) with ESMTP id 0BB2121ACF;
        Sun,  1 Jul 2018 21:10:32 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute1.internal (MEProxy); Sun, 01 Jul 2018 21:10:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=themaw.net; h=cc
        :content-transfer-encoding:content-type:date:from:in-reply-to
        :message-id:mime-version:references:subject:to:x-me-sender
        :x-me-sender:x-sasl-enc; s=fm3; bh=8YZam6lJmaF6kOuDSp1z1cynco9eK
        pZcmoE12zJ3WDE=; b=d4+mMHRurFPaBBLc+VgmmcrO9bq6iFmukPDJVKNBg3Pcz
        1V4W4liYVviT/0AZayMoZ5xbccC6jpMz0stRdQmVSmCUVtYAU8R0qMtjcwLi7gAf
        B85QZzcbr1QCL6IMZa8wXEc0+vF8goR8gm5q/I0kpjBgySIvhp59yBvGV7bQxiXx
        jDGnaLBpZYtQsROdSih5eYgNL/NRSAxMJttqxeQpZPt7kJP0eQ/jnW2RlFsfhSFJ
        1c55krPbAYvYoNAAf1GqKVv7rbWYqd9O38TStBhynKtH9tffv6NYYnwybtTrZ0FZ
        EIYVxMjt97vnkNieZCmaM7W0eWVMRLiRYLI2ESXEg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:in-reply-to:message-id:mime-version:references
        :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=8YZam6
        lJmaF6kOuDSp1z1cynco9eKpZcmoE12zJ3WDE=; b=T8YJC6NR39jC21CIXJn1zt
        go8vCP1jC7wd2ZNLfEZVHpnb3tNOGMFnlYhb/Twz8m+PPpARPU4gZJitWK0EwVLf
        76TqWoHq6hV3WHZ7rlkaEHq2df0iZUrKDAZu4v7/sjurfcDEBoyFuMRRuCYoBecB
        O88ulhX98CUTR0H0A0fiZcL2eFW6gDLeNJ7KNCUTGs9B5R0jaCxyVM/RoxA2qOwJ
        f6vJT/kh6VNoqW/fc8ZkeuIh0qfNLFo1mEolNKZAbKb2tXOA2+im4q2ZFnUR+4hu
        FyIgXyUTBW4IXDXUkg3MWYeDzzNx3Jl2iPQ/StoioAKik9qZXsuXPWflPplSQ29g
        ==
X-ME-Proxy: <xmx:h3s5W0TJwauupdwCcX1BgVV9ezZtNGB1hmpUm7VWnv_-ILxPuRnjeg>
    <xmx:h3s5W3H_eImxRxBswgdAYWaa6s68bpiXuk8CJn5iIWvFqVUpWtorFg>
    <xmx:h3s5W95A_hS1OZfEgS7rfx0ns3L2AqpYcV_F4Yx4RKQzJqmSRgrhPg>
    <xmx:h3s5W0n1vYzmZNRp8gyPjb71a5jFaZ0pxkGt2H_0YT-Z0155hsCUIw>
    <xmx:h3s5WzxH7gMgHkyN78-l1eDxIoFWgH3BwYBjgFfabYd7tprwJrA_Kg>
    <xmx:iHs5W44eJz6TnapfejR7sSKDwo8Pw-Dzfx2qUKKp7FWaxYD26a2uLw>
X-ME-Sender: <xms:h3s5W01g1RFwqXq-Kld0YeTpk70usyXhR5pR-LHXidXuRM5xkls6xw>
Received: from localhost (unknown [121.44.171.84])
        by mail.messagingengine.com (Postfix) with ESMTPA id 2AE6010260;
        Sun,  1 Jul 2018 21:10:29 -0400 (EDT)
Message-ID: <1530493827.2749.8.camel@themaw.net>
Subject: Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in
 getname_kernel
From:   Ian Kent <raven@themaw.net>
To:     tomas <tomasbortoli@gmail.com>, autofs@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, syzkaller@googlegroups.com
Date:   Mon, 02 Jul 2018 09:10:27 +0800
In-Reply-To: <38c5a8ad-c192-74b9-b2ff-9eb2a3386930@gmail.com>
References: <38c5a8ad-c192-74b9-b2ff-9eb2a3386930@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.6 (3.26.6-1.fc27) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 2018-07-02 at 00:04 +0200, tomas wrote:
> Hi,
> 
> I've looked into this issue found by Syzbot and I made a patch:
> 
> https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425b1163

Umm ... oops!

Thanks for looking into this Tomas.

> 
> 
> The autofs subsystem does not check that the "path" parameter is present
> within the "param" struct passed by the userspace in case the
> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a
> path is always provided (though a path is not always present, as per how
> the struct is defined:
> https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_dev-ioct
> l.h#L89).
> Skipping the check provokes an oob read in "strlen", called by
> "getname_kernel", in turn called by the autofs to assess the length of
> the non-existing path.
> 
> To solve it, modify the "validate_dev_ioctl" function to check also that
> a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD.
> 
> 
> --- b/fs/autofs/dev-ioctl.c    2018-07-01 23:10:16.059728621 +0200
> +++ a/fs/autofs/dev-ioctl.c    2018-07-01 23:10:24.311792133 +0200
> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s
>              goto out;
>          }
>      }
> +    /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */
> +    else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD)
> +        return -EINVAL;

My preference is to put the comment inside the else but ...

There's another question, should the check be done in
autofs_dev_ioctl_openmount() in the same way it's checked in other
ioctls that need a path, such as in autofs_dev_ioctl_requester()
and autofs_dev_ioctl_ismountpoint()?

For consistency I'd say it should.

>  
>      err = 0;
>  out:
> 
> 
> Tested and solves the issue on Linus' main git tree.
> 
> 

Ian