• Eric Sandeen's avatar
    fscache: Fix out of bound read in long cookie keys · fa520c47
    Eric Sandeen authored
    fscache_set_key() can incur an out-of-bounds read, reported by KASAN:
    
     BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
     Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615
    
    and also reported by syzbot at https://lkml.org/lkml/2018/7/8/236
    
      BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
      BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
      Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466
    
    This happens for any index_key_len which is not divisible by 4 and is
    larger than the size of the inline key, because the code allocates exactly
    index_key_len for the key buffer, but the hashing loop is stepping through
    it 4 bytes (u32) at a time in the buf[] array.
    
    Fix this by calculating how many u32 buffers we'll need by using
    DIV_ROUND_UP, and then using kcalloc() to allocate a precleared allocation
    buffer to hold the index_key, then using that same count as the hashing
    index limit.
    
    Fixes: ec0328e4 ("fscache: Maintain a catalogue of allocated cookies")
    Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
    Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    fa520c47
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
cache.c Loading commit data...
cookie.c Loading commit data...
fsdef.c Loading commit data...
histogram.c Loading commit data...
internal.h Loading commit data...
main.c Loading commit data...
netfs.c Loading commit data...
object-list.c Loading commit data...
object.c Loading commit data...
operation.c Loading commit data...
page.c Loading commit data...
proc.c Loading commit data...
stats.c Loading commit data...