Skip to content

Commit 9aafc1b

Browse files
Dan CarpenterMiklos Szeredi
authored andcommitted
ovl: potential crash in ovl_fid_to_fh()
The "buflen" value comes from the user and there is a potential that it could be zero. In do_handle_to_path() we know that "handle->handle_bytes" is non-zero and we do: handle_dwords = handle->handle_bytes >> 2; So values 1-3 become zero. Then in ovl_fh_to_dentry() we do: int len = fh_len << 2; So now len is in the "0,4-128" range and a multiple of 4. But if "buflen" is zero it will try to copy negative bytes when we do the memcpy in ovl_fid_to_fh(). memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET); And that will lead to a crash. Thanks to Amir Goldstein for his help with this patch. Fixes: cbe7fba ("ovl: make sure that real fid is 32bit aligned in memory") Signed-off-by: Dan Carpenter <[email protected]> Reviewed-by: Amir Goldstein <[email protected]> Cc: <[email protected]> # v5.5 Signed-off-by: Miklos Szeredi <[email protected]>
1 parent 15fd2ea commit 9aafc1b

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

fs/overlayfs/export.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -783,6 +783,9 @@ static struct ovl_fh *ovl_fid_to_fh(struct fid *fid, int buflen, int fh_type)
783783
if (fh_type != OVL_FILEID_V0)
784784
return ERR_PTR(-EINVAL);
785785

786+
if (buflen <= OVL_FH_WIRE_OFFSET)
787+
return ERR_PTR(-EINVAL);
788+
786789
fh = kzalloc(buflen, GFP_KERNEL);
787790
if (!fh)
788791
return ERR_PTR(-ENOMEM);

0 commit comments

Comments
 (0)