Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2983002imu; Sun, 9 Dec 2018 14:15:38 -0800 (PST) X-Google-Smtp-Source: AFSGD/XomD7T9+G6BvIZiXv3CcWRxBSsOWEfQl/wPraWDLS5+bU4tejRvuKdXbfR+IIcOtNKubz+ X-Received: by 2002:a62:5486:: with SMTP id i128mr9841491pfb.215.1544393738840; Sun, 09 Dec 2018 14:15:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393738; cv=none; d=google.com; s=arc-20160816; b=tXfW3dLfwYe4p0Db/ubPoKAO86JCHicvehr+fl6s/EAKh7P0oqNEMJ/aQbKPRdsS4O lhyoa4QZ9vw/Y4FMP8HFADkIZ7G+RAN47oQMDi2wPHoBS5+j187bQcG+EHPIO58fWLPM sjoMrfNeNwsypeWo76kUSBFJ52DgkKuKtFEH60FOQfiZErwLZDCIU8QRBuWDDjyDwn8J lAfkkcvfSdwBCrMaPZfSFp9CV/dYJ0RaxVv6I/ystI5qQVgrYkO1o9fs2eo+1OKkO/Nr TgwhA6h2Y7knklRnTRQM26jgTQQUGwLNwJCL0lb7lsylDr/VePQtWNC+wPggSdD0Wu0C 0Pxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=WI3OfRn20eBYqGvLpGS+Var5CTW1uJ3cxvb5XE2tx7M=; b=jHlnwwQRoYnmhs+H59wl1UcSyhqluov68X/qk4DWsQHwMYPKANLo+zKeXVxztagbIi 3uexKaAJQnpmGIRxttgsFtqnUZza20gHceeSqwg8SKrYwT28IaihoibONDcjBkKcvIMy DzjMs/Y4onArZR3NHzJt97o4IiUnI9Z3w8BOOc3De3ZebyvQ5mZeYbSSd1KADZFsN38C R0bF8A8hgCT6OTVE3D/bnR6WT+HTZ9wWj+FZFWiR8Ddz2/AOC+x0j6UevorGXKaVJySj Fi9vMs3JoVal24VEkUODGI+0xz8YMWemKRDzqWCj2n/MD0xfjINaN6yxwDyBzGbgY1JF z1zA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z143si9495956pfc.97.2018.12.09.14.15.23; Sun, 09 Dec 2018 14:15:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728074AbeLIWND (ORCPT + 99 others); Sun, 9 Dec 2018 17:13:03 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37850 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728020AbeLIWNA (ORCPT ); Sun, 9 Dec 2018 17:13:00 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73B-0002ib-NA; Sun, 09 Dec 2018 21:55:45 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72e-0003QY-7C; Sun, 09 Dec 2018 21:55:12 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Al Viro" , "Linus Torvalds" , "Jeff Mahoney" , "Eric Biggers" , "Jann Horn" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 155/328] reiserfs: fix broken xattr handling (heap corruption, bad retval) In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream. This fixes the following issues: - When a buffer size is supplied to reiserfs_listxattr() such that each individual name fits, but the concatenation of all names doesn't fit, reiserfs_listxattr() overflows the supplied buffer. This leads to a kernel heap overflow (verified using KASAN) followed by an out-of-bounds usercopy and is therefore a security bug. - When a buffer size is supplied to reiserfs_listxattr() such that a name doesn't fit, -ERANGE should be returned. But reiserfs instead just truncates the list of names; I have verified that if the only xattr on a file has a longer name than the supplied buffer length, listxattr() incorrectly returns zero. With my patch applied, -ERANGE is returned in both cases and the memory corruption doesn't happen anymore. Credit for making me clean this code up a bit goes to Al Viro, who pointed out that the ->actor calling convention is suboptimal and should be changed. Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers") Signed-off-by: Jann Horn Acked-by: Jeff Mahoney Cc: Eric Biggers Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: - The xattr handler's list operation does the copy, so also update the buffer size we pass to it - Adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/reiserfs/xattr.c +++ b/fs/reiserfs/xattr.c @@ -822,10 +822,12 @@ static int listxattr_filler(void *buf, c return 0; if (b->buf) { size = handler->list(b->dentry, b->buf + b->pos, - b->size, name, namelen, + b->size - b->pos, name, namelen, handler->flags); - if (size > b->size) + if (b->pos + size > b->size) { + b->pos = -ERANGE; return -ERANGE; + } } else { size = handler->list(b->dentry, NULL, 0, name, namelen, handler->flags);