Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp373693ybt; Fri, 10 Jul 2020 02:00:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzmzuhqTo42bYjA+M5QWQtQkwHACLyDMLGIGOszRBmqLk5zthhKphVcGgiZVgmr4Tjos+Rs X-Received: by 2002:a50:a451:: with SMTP id v17mr56958060edb.256.1594371652743; Fri, 10 Jul 2020 02:00:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594371652; cv=none; d=google.com; s=arc-20160816; b=dwPNdUw4924s/fk8N3ENuCa3qeby/czibR9LM4YgaBD9KcKYBtmLHprIxn6YMPoEUY j857UwLfEWQV7gMIdEB7AuEq4vcTxijeXRPN1HDJMo4DrRrBpw/8H8WjbCzOEAlrYoKA uftOkmeopy/fYopxL2jIevdTD6BdIN9MSe6AIUsR4eUIOaaT80fr1jP8NVvuOYN9a9/L YCBflwy5+TNVzsRrq8I8ZK/byaFC8hnTkUfDRB6iM2kW2X9LAZD2wQhJee3xqre6V9y0 SLACWJI5b7omU4qbdlSS8xmBKRV1DQ95Hxnj+7G4Nsz0VfB3Gkw9qS3eHRrLCZbur7hy Ppbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=46zVvTCTOU6ly5L8DQ5CyQhpZx1njBDbWU2lkQmXjRM=; b=wY0ik85GTwPGwadCzbfN6bhFurNmjcckcZ+uIlVcdRZ9nTPmOOCygTvx01Esn+nm/m rdKdFHX0ywMRQOaYoYmXD56rVZrreoViUpOrBdFoa1nGcx9Qefl2KBr2qVJD+T8Csh2i Rr3McE8Bgnqg8cpoi5sffybaPv8pSV3JcZl3LlkccJPzPi9pdzFvN0DaR36zLxwMLQdf 8IM7r63qsVkWAoehyFW5REUwqB4o8pRTvt74fCQARRerWgH6Ka/gThEReVqwocckc9QX Uz5w+l7nfLESI1NqcCuNRQonw51TJXqqlJSFyj5BcFbF7wbDG2ybOZkW8G1+n8RcFf3S Dl6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=ekpALOaK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w22si3528420eju.670.2020.07.10.02.00.28; Fri, 10 Jul 2020 02:00:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=ekpALOaK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727083AbgGJI7u (ORCPT + 99 others); Fri, 10 Jul 2020 04:59:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726644AbgGJI7t (ORCPT ); Fri, 10 Jul 2020 04:59:49 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 869ABC08C5CE; Fri, 10 Jul 2020 01:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=46zVvTCTOU6ly5L8DQ5CyQhpZx1njBDbWU2lkQmXjRM=; b=ekpALOaKRhzdpAi91A603FNUEc 8jMBLVjFMPuzRYer7Qk8uDweww316Rlk6rVKMIqXddXo4s80WblIH/eY1g8nYLCMvJPuctcp07LFW UQ1nR2uo+uqAi4+b9Zzk7kjs7L04URC0zXkRTzxS85EFisNDAk1kklxninKo5WGsOwAuxCiJK1A6S ++nJj9fxFOW9ks953HI7RCpcm1lt3GhTUvTAnXbmdN/25cOmzdKRZx97dVF0i7uT3734W97LG16Ks 8OShoni+XXPPyZiSb9D19+C4MeOJWQBND/w17rqHIGrhYEasy8nZxQnJ5Asz1hT4dOUf2W4mJjhbH 2L0eld0w==; Received: from 089144201169.atnat0010.highway.a1.net ([89.144.201.169] helo=localhost) by casper.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jtosY-00082k-5L; Fri, 10 Jul 2020 08:59:35 +0000 From: Christoph Hellwig To: ericvh@gmail.com, lucho@ionkov.net, asmadeus@codewreck.org Cc: v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Subject: [PATCH] net/9p: validate fds in p9_fd_open Date: Fri, 10 Jul 2020 10:57:22 +0200 Message-Id: <20200710085722.435850-1-hch@lst.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attemping a read or write, but a new warning added in linux-next upsets syzcaller. Fix this by just verifying the fds early on. Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig --- net/9p/trans_fd.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 13cd683a658ab6..1cd8ea0e493617 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -803,20 +803,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) return -ENOMEM; ts->rd = fget(rfd); + if (!ts->rd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_wr; ts->wr = fget(wfd); - if (!ts->rd || !ts->wr) { - if (ts->rd) - fput(ts->rd); - if (ts->wr) - fput(ts->wr); - kfree(ts); - return -EIO; - } + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; client->trans = ts; client->status = Connected; return 0; + +out_put_wr: + fput(ts->wr); +out_put_rd: + fput(ts->rd); +out_free_ts: + kfree(ts); + return -EIO; } static int p9_socket_open(struct p9_client *client, struct socket *csocket) -- 2.26.2