Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp3333839rdb; Thu, 16 Nov 2023 06:59:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IHr3j+cn2ykIs1isEZXvgl32nZqi5Mz7i9V19IM2eZMDVzIquKzQKiN3uilTDPGHrJqXiTz X-Received: by 2002:a17:902:c949:b0:1cc:4f55:db72 with SMTP id i9-20020a170902c94900b001cc4f55db72mr11959765pla.0.1700146740485; Thu, 16 Nov 2023 06:59:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700146740; cv=none; d=google.com; s=arc-20160816; b=dOVhiBT87pcU05BKykC+FQ1NUDCWpEJ+XtZcSK92AUKR1lInUsAIbGPQplgNcEJNGB C4TILiwq8YTB1u/bedQK4GOXVQDB8ijwUiFHjM7/PFwJdkonWjbZ1EhUdzgoFMSFiV/w y2Xi/qIzAz9GAJNp/95iAMtbTkHs9V19o/HsC+qfkTHepWyZ1ShVHSQcd/jJ/4f3WrDl +Tdwx5LMCV4whlGC2jqwkrQyaewjjCc0DuUu9Z2CX5ynfHHu/mzklbs9oFwWB9WL5toT l0ZabUUIBSaIoXRBLjgFXjwUW7FXrvUIkO8Hw0Pk0NyjMG7yG8aPpIJhE0nXwSU3Qap3 VJTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=1A1kbRe0EqpzNlHO8ETKahZUcPej3tPyJDaCd+sxobo=; fh=Xdx6dVJ4Oh4oulBPEM29CsF6uvGLq28Ydsb9lnfFhIM=; b=uxfas4gDeXgbzFx1a7fKCj/+h3wTCYDNdMI9BqcQhrEiPIxhjSUs0pGKmdoybsbnAm lhmbnSEVUROFLylN8ntJte6zGi4dSXq5MF9ejKtpMbDriH7zP2j+rO6elxCbVke2UXI7 uq3RZ/7PFeatzN0eNjkLVT21TvgbhrCQqCjllqdqWxyo9DYWA1yP5CrLYdYqKBvq8AGd A9vFV+K95ieSr2OQprWGoPOdWzARg1i04I3XEQ34dTuv3MUtlryKHp4FN9ga8kEAEwxV YBn+tnCMiI9JsU0IlmFz3wAyD59STSjJzqSEMGGfbsROKQaMftoUyHCGHksIKwraRzhT Ha4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=RJ34yMS7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id t8-20020a170902bc4800b001cc3473657bsi12448438plz.215.2023.11.16.06.59.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 06:59:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=RJ34yMS7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 4CF258029889; Thu, 16 Nov 2023 06:58:57 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345319AbjKPO6p (ORCPT + 99 others); Thu, 16 Nov 2023 09:58:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235193AbjKPO6o (ORCPT ); Thu, 16 Nov 2023 09:58:44 -0500 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE9D893 for ; Thu, 16 Nov 2023 06:58:40 -0800 (PST) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-6b7f0170d7bso841111b3a.2 for ; Thu, 16 Nov 2023 06:58:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700146720; x=1700751520; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=1A1kbRe0EqpzNlHO8ETKahZUcPej3tPyJDaCd+sxobo=; b=RJ34yMS7kb6vtpRCJ5bcjplMFnH5O1lEKp7lKmDXna9pjqKJk8fC1FDUIW4G+Zdq4u k8DetfXOIK69riY4ImMwvCn5X64BwUyqayMTPKBPsP2qppwGi3aGWABz/e3Y1FAB5XJm gUQxEcE55ytjScuerMxjYOLHCQpSpRGPoFVNw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700146720; x=1700751520; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1A1kbRe0EqpzNlHO8ETKahZUcPej3tPyJDaCd+sxobo=; b=TzV1w7T8zhhUDvjh2jkMYBnE9O5BCez1qVwIATq5KIdZxEsn0DR5rh0nvivU6KBn6L YSyKE++EcJSWht36VQQS0DXOvqdJ0rtl+uE6trA08XcCS3dmDMwHIB9ZnSEvHcIwC0P/ RwoGeIaDsSSgkcUEcDIR2Ua8Qk96mc4v16vCSBQukOVzaGcJqCkM3WersgMEMdFoPS34 UZJ9I3W/5raLN4iciRYJyqOY7ZxDZp7gJZgT2A364+FOlI/8hTxjr3H7BpqlfMNq4UvA ctzwdEGrwkunjSZDTGIAbR+2+w0pl/bi9PV96ew1rsGtoVGMZR6kvtBlizHb4YihyhiJ 613g== X-Gm-Message-State: AOJu0YzgmM/y5Pe9+RFuAnalqaaV/74y8aSzeY6byoVqECyiw6M/hmn0 urONkLKxUPi9SNWzJpqYVSIiEcjcNWIheXdEciugMg== X-Received: by 2002:a05:6a00:1da0:b0:6bf:50df:2df5 with SMTP id z32-20020a056a001da000b006bf50df2df5mr20221097pfw.13.1700146720314; Thu, 16 Nov 2023 06:58:40 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id h10-20020a056a00218a00b006c34015a8f2sm4756291pfi.146.2023.11.16.06.58.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 06:58:39 -0800 (PST) Date: Thu, 16 Nov 2023 06:58:39 -0800 From: Kees Cook To: Ronald Monthero Cc: al@alarsen.net, gustavoars@kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] qnx4: fix to avoid panic due to buffer overflow Message-ID: <202311160631.5ACFB84B7C@keescook> References: <20231112095353.579855-1-debug.penguin32@gmail.com> <202311160612.C38BF44@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202311160612.C38BF44@keescook> X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 16 Nov 2023 06:58:57 -0800 (PST) On Thu, Nov 16, 2023 at 06:29:59AM -0800, Kees Cook wrote: > On Sun, Nov 12, 2023 at 07:53:53PM +1000, Ronald Monthero wrote: > > qnx4 dir name length can vary to be of maximum size > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > > 'link info' entry is stored and the status byte is set. > > So to avoid buffer overflow check di_fname length > > fetched from (struct qnx4_inode_entry *) > > before use in strlen to avoid buffer overflow. > > > > panic context > > [ 4849.636861] detected buffer overflow in strlen > > [ 4849.636897] ------------[ cut here ]------------ > > [ 4849.636902] kernel BUG at lib/string.c:1165! > > [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI > > .. > > [ 4849.637047] Call Trace: > > [ 4849.637053] > > [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea > > [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea > > [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] > > [ 4849.637111] ? show_regs.part.0+0x23/0x29 > > [ 4849.637123] ? __die_body.cold+0x8/0xd > > [ 4849.637135] ? __die+0x2b/0x37 > > [ 4849.637147] ? die+0x30/0x60 > > [ 4849.637161] ? do_trap+0xbe/0x100 > > [ 4849.637171] ? do_error_trap+0x6f/0xb0 > > [ 4849.637180] ? fortify_panic+0x13/0x15 > > [ 4849.637192] ? exc_invalid_op+0x53/0x70 > > [ 4849.637203] ? fortify_panic+0x13/0x15 > > [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 > > [ 4849.637228] ? fortify_panic+0x13/0x15 > > [ 4849.637240] ? fortify_panic+0x13/0x15 > > [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] > > [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] > > [ 4849.637275] __lookup_slow+0x85/0x150 > > [ 4849.637291] walk_component+0x145/0x1c0 > > [ 4849.637304] ? path_init+0x2c0/0x3f0 > > [ 4849.637316] path_lookupat+0x6e/0x1c0 > > [ 4849.637330] filename_lookup+0xcf/0x1d0 > > [ 4849.637341] ? __check_object_size+0x1d/0x30 > > [ 4849.637354] ? strncpy_from_user+0x44/0x150 > > [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 > > [ 4849.637375] user_path_at_empty+0x3f/0x60 > > [ 4849.637383] vfs_statx+0x7a/0x130 > > [ 4849.637393] do_statx+0x45/0x80 > > .. > > > > Signed-off-by: Ronald Monthero > > --- > > fs/qnx4/namei.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > index 8d72221735d7..825b891a52b3 100644 > > --- a/fs/qnx4/namei.c > > +++ b/fs/qnx4/namei.c > > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > > } else { > > namelen = QNX4_SHORT_NAME_MAX; > > } > > + > > + /** qnx4 dir name length can vary, check the di_fname > > + * fetched from (struct qnx4_inode_entry *) before use in > > + * strlen to avoid panic due to buffer overflow" > > + */ > > Style nit: this comment should start with just "/*" alone, like: > > /* > * qnx4 dir name ... > > > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > > + return -ENAMETOOLONG; > > thislen = strlen( de->di_fname ); > > de->di_fname is: > > struct qnx4_inode_entry { > char di_fname[QNX4_SHORT_NAME_MAX]; > ... > > #define QNX4_SHORT_NAME_MAX 16 > #define QNX4_NAME_MAX 48 > > It's always going to have a max of QNX4_SHORT_NAME_MAX. Is any of this > code correct if namelen ends up being QNX4_NAME_MAX? It'll be reading > past the end of di_fname. > > Is bh->b_data actually struct qnx4_inode_entry ? Ah-ha, it looks like it's _not_: if (!(bh = qnx4_find_entry(len, dir, name, &de, &ino))) goto out; /* The entry is linked, let's get the real info */ if ((de->di_status & QNX4_FILE_LINK) == QNX4_FILE_LINK) { lnk = (struct qnx4_link_info *) de; It seems that entries may be either struct qnx4_inode_entry or struct qnx4_link_info but it's not captured in a union. This needs to be fixed by not lying to the compiler about what is there. How about this? diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c index 8d72221735d7..3cd20065bcfa 100644 --- a/fs/qnx4/namei.c +++ b/fs/qnx4/namei.c @@ -26,31 +26,39 @@ static int qnx4_match(int len, const char *name, struct buffer_head *bh, unsigned long *offset) { - struct qnx4_inode_entry *de; - int namelen, thislen; + union qnx4_dir_entry *de; + char *entry_fname; + int entry_len, entry_max_len; if (bh == NULL) { printk(KERN_WARNING "qnx4: matching unassigned buffer !\n"); return 0; } - de = (struct qnx4_inode_entry *) (bh->b_data + *offset); + de = (union qnx4_dir_entry *) (bh->b_data + *offset); *offset += QNX4_DIR_ENTRY_SIZE; - if ((de->di_status & QNX4_FILE_LINK) != 0) { - namelen = QNX4_NAME_MAX; - } else { - namelen = QNX4_SHORT_NAME_MAX; - } - thislen = strlen( de->di_fname ); - if ( thislen > namelen ) - thislen = namelen; - if (len != thislen) { + + switch (de->inode.di_status) { + case QNX4_FILE_LINK: + entry_fname = de->link.dl_fname; + entry_max_len = sizeof(de->link.dl_fname); + break; + case QNX4_FILE_USED: + entry_fname = de->inode.di_fname; + entry_max_len = sizeof(de->inode.di_fname); + break; + default: return 0; } - if (strncmp(name, de->di_fname, len) == 0) { - if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) != 0) { - return 1; - } - } + + /* Directory entry may not be %NUL-terminated. */ + entry_len = strnlen(entry_fname, entry_max_len); + + if (len != entry_len) + return 0; + + if (strncmp(name, entry_fname, len) == 0) + return 1; + return 0; } diff --git a/include/uapi/linux/qnx4_fs.h b/include/uapi/linux/qnx4_fs.h index 31487325d265..e033dbe1e009 100644 --- a/include/uapi/linux/qnx4_fs.h +++ b/include/uapi/linux/qnx4_fs.h @@ -68,6 +68,13 @@ struct qnx4_link_info { __u8 dl_status; }; +union qnx4_dir_entry { + struct qnx4_inode_entry inode; + struct qnx4_link_info link; +}; +_Static_assert(offsetof(struct qnx4_inode_entry, di_status) == + offsetof(struct qnx4_link_info, dl_status)); + struct qnx4_xblk { __le32 xblk_next_xblk; __le32 xblk_prev_xblk; -- Kees Cook