Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2027378pxa; Mon, 24 Aug 2020 03:02:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyc2W04AbkEAvqUgFJUNZq+D3044cLhhRgZ1YcueLdIEBFw7vM/IjL1gtvkhDq+fL/UOzCg X-Received: by 2002:a17:906:244b:: with SMTP id a11mr4714298ejb.5.1598263331258; Mon, 24 Aug 2020 03:02:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598263331; cv=none; d=google.com; s=arc-20160816; b=WhzvryrnMQPelV6EwbCdB1ij1rvRILx09e/PPU7SwTar03Zlq08bYJR0sGSvlCKbnC Gibp9fui60J9SnfuyX8Kb30C4bf7wtf/jn8pOfuDGj9zH6LHOYGJ8qqR9xFu9B7lqTjo SP8xl/QW6x1VZ+hoiOu1YQmQ9kUDzezXfOfijWIUXcqtfflIkanpxbCKH/IBDi0HzcKe wjdlbZV9KaMytGQ4uBAY0GDOW0IpeniTith3VezBw6TTZ6lvPafSAMcZFw5OmtgDa8q3 YlARV76LGIXqbMeFcHmv/IovbopS8s5oAVHNN0GpXUUpy8HNW+qyt43yiNpB3lSZBy6l mgWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZsvmhA5x1uZ0kCrbrrgeAbQCN8T501U144p8kgk+UI8=; b=0zSduYcZikIKPNRY/9VEbl2RedrkTPEP/HVRfLLOzfeAv7ws38V4ACwPAJGaspgiam 43wlJYRlPzk4DY0IqD9KYWqMf7XjkR1QOQQ4HwDXI7ET7jS02YgTUs3heud+MfO7r2ae gmWMqDj9WpJTOjGIKonHRwHMWxg6xbxW0RjoUVTaie0gq0zqCppSj188hevIa+Vz9JUA qASWek2r44Uzm3kJmCIYjdb4rIr6yEwd1dSFezco5RaQmE5wJQjYJlmeVxPfHCvnuuZP mrF9xUm+Lzb1KGF2MluM1luRPPDToMv5Nf4tC33bRfBiXVJpLPX0IAq4w9zqQbMhkbRL OxGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v3mUVfsr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id oy7si6672868ejb.534.2020.08.24.03.01.48; Mon, 24 Aug 2020 03:02:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v3mUVfsr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726664AbgHXIcW (ORCPT + 99 others); Mon, 24 Aug 2020 04:32:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:38888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726580AbgHXIcP (ORCPT ); Mon, 24 Aug 2020 04:32:15 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D08D206F0; Mon, 24 Aug 2020 08:32:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598257934; bh=q2KANpMGXSeyzKEWZM9I8ni3OZPfwzMBznz7DQYRhiE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v3mUVfsrz5bSIIoO1MQOjETEgQJMkRs3yIuUs9VN8zQDMta1v2nq7864GMiLczgik X89KuZ8l8gg+VzZ7YAXwVO3YnnexrIAbMsGZdqxC/dic6VUOd2nXlZAHcIimViqU8O wb3y9Zxeo5vifRR7jiSoAEPPUHNzLmDFV89ot5nw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Andrew Morton , David Howells , Linus Torvalds Subject: [PATCH 5.8 014/148] romfs: fix uninitialized memory leak in romfs_dev_read() Date: Mon, 24 Aug 2020 10:28:32 +0200 Message-Id: <20200824082414.647524908@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200824082413.900489417@linuxfoundation.org> References: <20200824082413.900489417@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit bcf85fcedfdd17911982a3e3564fcfec7b01eebd upstream. romfs has a superblock field that limits the size of the filesystem; data beyond that limit is never accessed. romfs_dev_read() fetches a caller-supplied number of bytes from the backing device. It returns 0 on success or an error code on failure; therefore, its API can't represent short reads, it's all-or-nothing. However, when romfs_dev_read() detects that the requested operation would cross the filesystem size limit, it currently silently truncates the requested number of bytes. This e.g. means that when the content of a file with size 0x1000 starts one byte before the filesystem size limit, ->readpage() will only fill a single byte of the supplied page while leaving the rest uninitialized, leaking that uninitialized memory to userspace. Fix it by returning an error code instead of truncating the read when the requested read operation would go beyond the end of the filesystem. Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly") Signed-off-by: Jann Horn Signed-off-by: Andrew Morton Reviewed-by: Greg Kroah-Hartman Cc: David Howells Cc: Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/romfs/storage.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/fs/romfs/storage.c +++ b/fs/romfs/storage.c @@ -217,10 +217,8 @@ int romfs_dev_read(struct super_block *s size_t limit; limit = romfs_maxsize(sb); - if (pos >= limit) + if (pos >= limit || buflen > limit - pos) return -EIO; - if (buflen > limit - pos) - buflen = limit - pos; #ifdef CONFIG_ROMFS_ON_MTD if (sb->s_mtd)