kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/fs/btrfs
History
Nikolay Borisov c8bcbfbd23 btrfs: Fix possible off-by-one in btrfs_search_path_in_tree 
The name char array passed to btrfs_search_path_in_tree is of size
BTRFS_INO_LOOKUP_PATH_MAX (4080). So the actual accessible char indexes
are in the range of [0, 4079]. Currently the code uses the define but this
represents an off-by-one.

Implications:

Size of btrfs_ioctl_ino_lookup_args is 4096, so the new byte will be
written to extra space, not some padding that could be provided by the
allocator.

btrfs-progs store the arguments on stack, but kernel does own copy of
the ioctl buffer and the off-by-one overwrite does not affect userspace,
but the ending 0 might be lost.

Kernel ioctl buffer is allocated dynamically so we're overwriting
somebody else's memory, and the ioctl is privileged if args.objectid is
not 256. Which is in most cases, but resolving a subvolume stored in
another directory will trigger that path.

Before this patch the buffer was one byte larger, but then the -1 was
not added.

Fixes: ac8e9819d7 ("Btrfs: add search and inode lookup ioctls")
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ added implications ]
Signed-off-by: David Sterba <dsterba@suse.com>
2017-12-07 00:35:15 +01:00
..
tests Btrfs: fix reported number of inode blocks after buffered append writes 2017-11-15 17:27:46 +01:00
acl.c btrfs: preserve i_mode if __btrfs_set_acl() fails 2017-08-21 17:47:42 +02:00
async-thread.c Btrfs: fix confusing worker helper info in stacktrace 2017-10-30 12:27:57 +01:00
async-thread.h btrfs: constify tracepoint arguments 2017-08-16 14:19:53 +02:00
backref.c btrfs: track refs in a rb_tree instead of a list 2017-11-01 20:45:35 +01:00
backref.h btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents 2017-11-01 20:45:34 +01:00
btrfs_inode.h btrfs: make the delalloc block rsv per inode 2017-11-01 20:45:35 +01:00
check-integrity.c btrfs: Fix bug for misused dev_t when lookup in dev state hash table. 2017-11-01 20:45:36 +01:00
check-integrity.h btrfs: take an fs_info directly when the root is not used otherwise 2016-12-06 16:06:59 +01:00
compression.c btrfs: Fix wild memory access in compression level parser 2017-11-27 17:01:11 +01:00
compression.h btrfs: Fix wild memory access in compression level parser 2017-11-27 17:01:11 +01:00
ctree.c btrfs: handle errors while updating refcounts in update_ref_for_cow 2017-12-07 00:30:03 +01:00
ctree.h Btrfs: fix reported number of inode blocks after buffered append writes 2017-11-15 17:27:46 +01:00
dedupe.h btrfs: expand cow_file_range() to support in-band dedup and subpage-blocksize 2016-07-26 13:52:25 +02:00
delayed-inode.c btrfs: make the delalloc block rsv per inode 2017-11-01 20:45:35 +01:00
delayed-inode.h btrfs: convert btrfs_delayed_item.refs from atomic_t to refcount_t 2017-04-18 14:07:23 +02:00
delayed-ref.c btrfs: track refs in a rb_tree instead of a list 2017-11-01 20:45:35 +01:00
delayed-ref.h btrfs: track refs in a rb_tree instead of a list 2017-11-01 20:45:35 +01:00
dev-replace.c Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:54:01 -07:00
dev-replace.h btrfs: constify device path passed to relevant helpers 2017-02-28 14:26:07 +01:00
dir-item.c btrfs: fix validation of XATTR_ITEM dir items 2017-06-29 20:06:11 +02:00
disk-io.c Btrfs: disable FUA if mounted with nobarrier 2017-12-07 00:34:45 +01:00
disk-io.h btrfs: use named constant for bdev blocksize 2017-08-16 16:12:04 +02:00
export.c btrfs: Check name_len before reading btrfs_get_name 2017-06-21 19:16:04 +02:00
export.h
extent-tree.c btrfs: fix missing error return in btrfs_drop_snapshot 2017-12-07 00:30:29 +01:00
extent_io.c Btrfs: add write_flags for compression bio 2017-11-15 14:44:31 +01:00
extent_io.h Btrfs: fix reported number of inode blocks after buffered append writes 2017-11-15 17:27:46 +01:00
extent_map.c btrfs: convert extent_map.refs from atomic_t to refcount_t 2017-04-18 14:07:23 +02:00
extent_map.h btrfs: convert extent_map.refs from atomic_t to refcount_t 2017-04-18 14:07:23 +02:00
file-item.c Merge branch 'for-4.13-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux 2017-07-05 16:41:23 -07:00
file.c Btrfs: fix list_add corruption and soft lockups in fsync 2017-11-27 17:41:19 +01:00
free-space-cache.c btrfs: fix deadlock when writing out space cache 2017-11-27 15:50:07 +01:00
free-space-cache.h btrfs: free-space-cache, clean up unnecessary root arguments 2017-02-17 12:03:56 +01:00
free-space-tree.c btrfs: Clean up unused variables in free-space-tree.c 2017-10-30 12:27:59 +01:00
free-space-tree.h btrfs: expose internal free space tree routine only if sanity tests are enabled 2017-08-18 16:36:29 +02:00
hash.c crypto: Work around deallocated stack frame reference gcc bug on sparc. 2017-06-08 17:36:03 +08:00
hash.h btrfs: advertise which crc32c implementation is being used at module load 2016-06-06 14:08:28 +02:00
inode-item.c btrfs: take an fs_info directly when the root is not used otherwise 2016-12-06 16:06:59 +01:00
inode-map.c Btrfs: rework outstanding_extents 2017-11-01 20:45:35 +01:00
inode-map.h Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots 2016-01-15 19:25:02 +01:00
inode.c btrfs: Fix quota reservation leak on preallocated files 2017-12-07 00:28:12 +01:00
ioctl.c btrfs: Fix possible off-by-one in btrfs_search_path_in_tree 2017-12-07 00:35:15 +01:00
Kconfig Btrfs: add a extent ref verify tool 2017-10-30 12:28:00 +01:00
locking.c btrfs: cleanup, remove stray return statements 2016-01-07 14:30:52 +01:00
locking.h
lzo.c btrfs: allow to set compression level for zlib 2017-11-01 20:45:29 +01:00
Makefile Btrfs: add a extent ref verify tool 2017-10-30 12:28:00 +01:00
math.h btrfs: cleanup 64bit/32bit divs, compile time constants 2015-03-03 17:23:57 +01:00
ordered-data.c Btrfs: rework outstanding_extents 2017-11-01 20:45:35 +01:00
ordered-data.h btrfs: fix integer overflow in calc_reclaim_items_nr 2017-06-29 20:17:02 +02:00
orphan.c
print-tree.c Btrfs: add one more sanity check for shared ref type 2017-08-21 17:47:43 +02:00
print-tree.h btrfs: get fs_info from eb in btrfs_print_tree, remove argument 2017-08-16 16:12:03 +02:00
props.c Merge branch 'zstd-minimal' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2017-09-14 17:30:49 -07:00
props.h
qgroup.c btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents 2017-11-01 20:45:34 +01:00
qgroup.h btrfs: qgroup: Fix qgroup reserved space underflow by only freeing reserved ranges 2017-06-29 20:17:02 +02:00
raid56.c Btrfs: fix memory leak in raid56 2017-10-30 12:27:57 +01:00
raid56.h btrfs: take an fs_info directly when the root is not used otherwise 2016-12-06 16:06:59 +01:00
rcu-string.h
reada.c btrfs: remove unused member err from reada_extent 2017-06-19 18:25:59 +02:00
ref-verify.c Btrfs: add a extent ref verify tool 2017-10-30 12:28:00 +01:00
ref-verify.h Btrfs: add a extent ref verify tool 2017-10-30 12:28:00 +01:00
relocation.c Btrfs: fix reported number of inode blocks after buffered append writes 2017-11-15 17:27:46 +01:00
root-tree.c btrfs: Clean up dead code in root-tree 2017-10-30 12:27:56 +01:00
scrub.c btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents 2017-11-01 20:45:34 +01:00
send.c Btrfs: incremental send, fix wrong unlink path after renaming file 2017-11-28 17:15:30 +01:00
send.h btrfs: fix send ioctl on 32bit with 64bit kernel 2017-10-30 12:27:59 +01:00
struct-funcs.c btrfs: struct-funcs, constify readers 2017-08-16 14:19:53 +02:00
super.c btrfs: Fix wild memory access in compression level parser 2017-11-27 17:01:11 +01:00
sysfs.c btrfs: prefix sysfs attribute struct names 2017-10-30 12:27:58 +01:00
sysfs.h btrfs: prefix sysfs attribute struct names 2017-10-30 12:27:58 +01:00
transaction.c btrfs: don't call btrfs_start_delalloc_roots in flushoncommit 2017-11-01 20:45:35 +01:00
transaction.h btrfs: remove unused qgroup members from btrfs_trans_handle 2017-04-18 14:07:25 +02:00
tree-checker.c btrfs: tree-checker: Fix false panic for sanity test 2017-11-28 14:59:09 +01:00
tree-checker.h btrfs: tree-checker: Fix false panic for sanity test 2017-11-28 14:59:09 +01:00
tree-defrag.c Btrfs: fix locking bugs when defragging leaves 2015-12-18 02:51:32 +00:00
tree-log.c Btrfs: fix list_add corruption and soft lockups in fsync 2017-11-27 17:41:19 +01:00
tree-log.h btrfs: Make btrfs_del_inode_ref take btrfs_inode 2017-02-14 15:50:54 +01:00
ulist.c btrfs: ulist: rename ulist_fini to ulist_release 2017-02-17 12:03:50 +01:00
ulist.h btrfs: ulist: rename ulist_fini to ulist_release 2017-02-17 12:03:50 +01:00
uuid-tree.c btrfs: return the actual error value from from btrfs_uuid_tree_iterate 2016-12-19 18:08:15 +01:00
volumes.c btrfs: dev_alloc_list is not protected by RCU, use normal list_del 2017-11-15 14:46:12 +01:00
volumes.h btrfs: declare btrfs_report_missing_device() static 2017-10-30 12:27:59 +01:00
xattr.c btrfs: Check name_len with boundary in verify dir_item 2017-06-21 19:16:04 +02:00
xattr.h btrfs: Switch to generic xattr handlers 2016-05-17 19:17:09 -04:00
zlib.c btrfs: allow to set compression level for zlib 2017-11-01 20:45:29 +01:00
zstd.c btrfs: allow to set compression level for zlib 2017-11-01 20:45:29 +01:00