Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4711357imm; Sun, 22 Jul 2018 04:09:29 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcG9IpXFoT1QY4Zk2ojKd5QggKIDrKmuiaCeDvepsamDaGTlYaCfFIPBWvoKISxpkXCWupF X-Received: by 2002:a65:4541:: with SMTP id x1-v6mr8170967pgr.26.1532257769820; Sun, 22 Jul 2018 04:09:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532257769; cv=none; d=google.com; s=arc-20160816; b=BPfLAB2pGgAF4EJPQcl2vS3NatPUA1REt+xWIET0WpU4Wjk1xQ1JgHPrFBO/3QAkY4 SJ0GlqQtsztt4B8lC7B0erUMZ+6UVBXjiuTPOhLK3V4OArBe9kSe/UX4UHHP1fSggVY7 18/E2VyabAk8u+D+X6urj6uI5gibrKPDx+4nyuP9Zvnrq9xO76cVq4XQAhVAFFYScijM nRALsvxlKySr7FzsZ6OLTNBf/jEcZZ8wK2sm/Uh729aH2NUfUDh/dVSeayp/m//acLM9 blrt23OqqjhgkauI2ngoFc51IfdKhltKhKFI0/8GENryytVspCQBs30/5Kd5tpJZ1DrV asMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=Z6Iq+RBFK+A+7zPklX/+s0pqpHF8NUF3irjT+CJ2aDM=; b=yEl5/bTUG4nnxgZ0RGeLc9Be+WmMjJ9FAgRkY2ol59GtN1ULm4GfYj2x3dcGdfAPLc l3NShy4M9RH1V5mPR5ELxqjFuRZ3JukFBTti8qryyX+qDW9nep04k9JSHvsbUAhELl5m 9BAel1wk/bxg87yqStZbeFjgPpbV3dYdEfmNTnYQMvE7CrgWmaaeEFExvcJ3Mqx+bqHt 8444e2J5rsVFPZMNRsn+d5NYVnbXdMwl5O5XKF+UsATn7GTkriTo/wJ761+u1wqQMwWN NF6OuAK9rsAtcALsi+tgq/nsWHW0dnWWqeS0DAQFbPUUiYngt6hn6IQWVqjNRLjA7RKW PcvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NFW431KQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n21-v6si5987789pgk.307.2018.07.22.04.08.48; Sun, 22 Jul 2018 04:09:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NFW431KQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728314AbeGVMC4 (ORCPT + 99 others); Sun, 22 Jul 2018 08:02:56 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:34027 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727981AbeGVMC4 (ORCPT ); Sun, 22 Jul 2018 08:02:56 -0400 Received: by mail-lj1-f195.google.com with SMTP id f8-v6so14546417ljk.1 for ; Sun, 22 Jul 2018 04:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Z6Iq+RBFK+A+7zPklX/+s0pqpHF8NUF3irjT+CJ2aDM=; b=NFW431KQdEpXa+aHcZRSkoNB7q37R838YVzExvSsZudqyYuMUokG2ygKVTcj2engLk ZEcX+7t4eXRUxIows/j7ajFgXU07tl9dkxF4gb4f4EIWLl1s/vWMqmAeUZ1KSEHCQ6Re QB/dXaEt62BFp2iF7rgLp31uwq32S9s/5dsr733fZceUowuMM2y4m7pqW859u/RhfXRp 29VqkPwWUlawbDlLZ9F3yVXXtVq2WrNGjlx3XQNJIoMZTuwHAvgYEdwYigR2kqGK5epY 9qjUF9y70kaFro8OgPu2HtSfKllHTphc9LIzQRuitaJT7Q2BrRBFsLPVvyCyRlTbKdZv dbCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Z6Iq+RBFK+A+7zPklX/+s0pqpHF8NUF3irjT+CJ2aDM=; b=ZS0YdaekLFIyE+zBCB85mr8cUAOjeWp8hvk82whMSbQc5Bk84rtHCwotq2v3llZX12 29Q9mOVLOPVuL9jFV+990/fqvZdqnofeWqC0WN6fKtbilcNIzCysX+8ydWtPdrl47SVB 5at7q9R8YBJi0YMSjXgGWd/KDzSHngYCQymTfaIqBMSG+KZJWW2xAxtxIxZy9C1MbEFr ewBuWmhRiqK6eDiL26+Y0uh4eYCpezdgyPtu1GVROnRXPMAB01xyqmF4eeL7uPaKho4d fMO8pji+T4HMS10b+SoOSoaY+sIhoQ5EcDCdNITolFG1Rq8tjv0I0+0wXx/ZUCxQNh6K jlbg== X-Gm-Message-State: AOUpUlE9rKg63klV5TGUQNevsqitdypnQQNqoVKhWJKz4BBJb8WfhMLV qUXUpl9O2V5jFu6s0JHXEZU= X-Received: by 2002:a2e:740f:: with SMTP id p15-v6mr6544418ljc.130.1532257595792; Sun, 22 Jul 2018 04:06:35 -0700 (PDT) Received: from debian-tom.lan ([2001:2012:22e:1b00:f2e2:9015:9262:3fde]) by smtp.gmail.com with ESMTPSA id u19-v6sm1291458lje.51.2018.07.22.04.06.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 04:06:34 -0700 (PDT) From: Tomas Bortoli To: dhowells@redhat.com Cc: linux-cachefs@redhat.com, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] fscache: fscache_set_key() - align alloc and usage Date: Sun, 22 Jul 2018 13:05:19 +0200 Message-Id: <20180722110519.23917-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The fscache_set_key() function allocates the buf pointer if index_key_len > sizeof(cookie->inline_key). In such cases the allocated space might not be aligned with the pointer type. This may result in an out-of-bound in the for-loop later in the same function, as the counter is rounded up. Signed-off-by: Tomas Bortoli Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com --- fs/fscache/cookie.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c index 97137d7ec5ee..ed28bfb6a0fe 100644 --- a/fs/fscache/cookie.c +++ b/fs/fscache/cookie.c @@ -98,7 +98,7 @@ static int fscache_set_key(struct fscache_cookie *cookie, cookie->key_len = index_key_len; if (index_key_len > sizeof(cookie->inline_key)) { - buf = kzalloc(index_key_len, GFP_KERNEL); + buf = kzalloc(round_up(index_key_len, sizeof(u32)), GFP_KERNEL); if (!buf) return -ENOMEM; cookie->key = buf; -- 2.11.0