Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp131741ybc; Mon, 18 Nov 2019 21:52:20 -0800 (PST) X-Google-Smtp-Source: APXvYqxDaYg4BfGtZUqssWYSjLyVquq+KbUcQN8l+uu4Zn8rw8qAUFFwZfJRIv7rajR+lo0nmacl X-Received: by 2002:a17:906:d72:: with SMTP id s18mr33067293ejh.29.1574142740541; Mon, 18 Nov 2019 21:52:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574142740; cv=none; d=google.com; s=arc-20160816; b=elnLV5m5W0kNUOds1pZPruxDCfkDRPnyuPMywcqqWd+CM+P0WECwYCtsXu7YH2G98V adv5yEGE7SLF1opOOGoesUgoVpAQJX0KGX5NQljYQIGizrFnZlXKrIryRI7ZDq0ghjmK 2xEILqvel5RusXBPVU6ilkcKbmdXJFW/8Wcypsai0iqdhcZb20W1C6O2o5HI5IFLY1if yxCFYOt/eDzCOLGZixCwIZS8uofBhxlklN5+Iiq0YHKbWkTfrk6E8UM0U/3uxk0O8bfn G6P5aUKV8WHWeTfkCnO+L2BoSD/gwmtZ82c2B0/teSWDOev8J8cHlIyV+HU6Xi1eny5S 3geQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=36Q57Jk1LwjbQbdl8KPt/qPQjGbsY0hxEQMUkmBlqA4=; b=fyETHBkPeW+j7FTXG2PaP9dub1WxZkJbeQsFcuQYJQ8CZu9Y5716lDWyVXLearUmcm JS7x5HLBDiAvj0+AFKUO/vGzjh1RLB895uH8OxqFA4Ca9bLVe1OvGMTus9hexpmuIjUq vLPlXKVYSzAXCSgXkmIRBw1YDNmyo6WnqJunU+wDWNYhbRl0K0nTUrR5CdlRyehWOFkI QZZgpo94o1Q6aHIksStwjMPvezySAA9UFIr1GSHHC9KVYzNib13M2/w1QdjB0yNpSRro Pbm7plhR0i2KCjpqKbffebpCjdOq2COhYa02wvS3NT2Oq4sZmK4axzoEDr4yckEtfw9m AL3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C3hUZ7E6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si15263874edc.410.2019.11.18.21.51.55; Mon, 18 Nov 2019 21:52:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C3hUZ7E6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731549AbfKSFtv (ORCPT + 99 others); Tue, 19 Nov 2019 00:49:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:46716 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731526AbfKSFtt (ORCPT ); Tue, 19 Nov 2019 00:49:49 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8FD54208C3; Tue, 19 Nov 2019 05:49:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574142588; bh=V2MXQNvdw4Ron/Ca+2ik6qa8Dz9RDGfx4vCYSh7+Ib0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C3hUZ7E6FwpCLpG6LOQu2j6FJqI38jMjqIg2tBoa7VCVEe7W0E0d0nICa8iFiVROb 11maD8+k+914YUu8mNp/vUx/dahqaoiyT065TLRz5icnP+9E0XXtJyKhX7v/7OJL9v Rscrn4gHP9llMuADWgCis1ffQS/mT9qj97V+dZ7Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bernd Edlinger , Tejun Heo , Sasha Levin Subject: [PATCH 4.14 125/239] kernfs: Fix range checks in kernfs_get_target_path Date: Tue, 19 Nov 2019 06:18:45 +0100 Message-Id: <20191119051330.330237056@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191119051255.850204959@linuxfoundation.org> References: <20191119051255.850204959@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Bernd Edlinger [ Upstream commit a75e78f21f9ad4b810868c89dbbabcc3931591ca ] The terminating NUL byte is only there because the buffer is allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the returned string may not be zero-terminated if it is exactly PATH_MAX characters long. Furthermore also the initial loop may theoretically exceed PATH_MAX and cause a fault. Signed-off-by: Bernd Edlinger Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- fs/kernfs/symlink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c index 5145ae2f0572e..d273e3accade6 100644 --- a/fs/kernfs/symlink.c +++ b/fs/kernfs/symlink.c @@ -63,6 +63,9 @@ static int kernfs_get_target_path(struct kernfs_node *parent, if (base == kn) break; + if ((s - path) + 3 >= PATH_MAX) + return -ENAMETOOLONG; + strcpy(s, "../"); s += 3; base = base->parent; @@ -79,7 +82,7 @@ static int kernfs_get_target_path(struct kernfs_node *parent, if (len < 2) return -EINVAL; len--; - if ((s - path) + len > PATH_MAX) + if ((s - path) + len >= PATH_MAX) return -ENAMETOOLONG; /* reverse fillup of target string from target to base */ -- 2.20.1