2021-11-02 22:12:01 +09:00
// SPDX-License-Identifier: LGPL-2.1
2010-05-31 13:22:56 +05:30
/*
* Copyright IBM Corporation , 2010
* Author Aneesh Kumar K . V < aneesh . kumar @ linux . vnet . ibm . com >
*/
# include <linux/module.h>
# include <linux/fs.h>
# include <linux/sched.h>
2015-04-01 20:17:51 -04:00
# include <linux/uio.h>
2022-09-22 17:17:26 +02:00
# include <linux/posix_acl_xattr.h>
2010-05-31 13:22:56 +05:30
# include <net/9p/9p.h>
# include <net/9p/client.h>
# include "fid.h"
# include "xattr.h"
2010-09-28 00:27:39 +05:30
ssize_t v9fs_fid_xattr_get ( struct p9_fid * fid , const char * name ,
void * buffer , size_t buffer_size )
2010-05-31 13:22:56 +05:30
{
ssize_t retval ;
2015-04-01 23:42:28 -04:00
u64 attr_size ;
2010-09-28 00:27:39 +05:30
struct p9_fid * attr_fid ;
2015-04-01 23:42:28 -04:00
struct kvec kvec = { . iov_base = buffer , . iov_len = buffer_size } ;
struct iov_iter to ;
int err ;
2022-09-15 20:25:47 -04:00
iov_iter_kvec ( & to , ITER_DEST , & kvec , 1 , buffer_size ) ;
2010-05-31 13:22:56 +05:30
attr_fid = p9_client_xattrwalk ( fid , name , & attr_size ) ;
if ( IS_ERR ( attr_fid ) ) {
retval = PTR_ERR ( attr_fid ) ;
2011-11-28 10:40:46 -08:00
p9_debug ( P9_DEBUG_VFS , " p9_client_attrwalk failed %zd \n " ,
retval ) ;
2015-04-01 23:42:28 -04:00
return retval ;
2010-05-31 13:22:56 +05:30
}
if ( attr_size > buffer_size ) {
9P FS: Fix wild-memory-access write in v9fs_get_acl
KASAN reported the following issue:
[ 36.825817][ T5923] BUG: KASAN: wild-memory-access in v9fs_get_acl+0x1a4/0x390
[ 36.827479][ T5923] Write of size 4 at addr 9fffeb37f97f1c00 by task syz-executor798/5923
[ 36.829303][ T5923]
[ 36.829846][ T5923] CPU: 0 PID: 5923 Comm: syz-executor798 Not tainted 6.2.0-syzkaller-18302-g596b6b709632 #0
[ 36.832110][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
[ 36.834464][ T5923] Call trace:
[ 36.835196][ T5923] dump_backtrace+0x1c8/0x1f4
[ 36.836229][ T5923] show_stack+0x2c/0x3c
[ 36.837100][ T5923] dump_stack_lvl+0xd0/0x124
[ 36.838103][ T5923] print_report+0xe4/0x4c0
[ 36.839068][ T5923] kasan_report+0xd4/0x130
[ 36.840052][ T5923] kasan_check_range+0x264/0x2a4
[ 36.841199][ T5923] __kasan_check_write+0x2c/0x3c
[ 36.842216][ T5923] v9fs_get_acl+0x1a4/0x390
[ 36.843232][ T5923] v9fs_mount+0x77c/0xa5c
[ 36.844163][ T5923] legacy_get_tree+0xd4/0x16c
[ 36.845173][ T5923] vfs_get_tree+0x90/0x274
[ 36.846137][ T5923] do_new_mount+0x25c/0x8c8
[ 36.847066][ T5923] path_mount+0x590/0xe58
[ 36.848147][ T5923] __arm64_sys_mount+0x45c/0x594
[ 36.849273][ T5923] invoke_syscall+0x98/0x2c0
[ 36.850421][ T5923] el0_svc_common+0x138/0x258
[ 36.851397][ T5923] do_el0_svc+0x64/0x198
[ 36.852398][ T5923] el0_svc+0x58/0x168
[ 36.853224][ T5923] el0t_64_sync_handler+0x84/0xf0
[ 36.854293][ T5923] el0t_64_sync+0x190/0x194
Calling '__v9fs_get_acl' method in 'v9fs_get_acl' creates the
following chain of function calls:
__v9fs_get_acl
v9fs_fid_get_acl
v9fs_fid_xattr_get
p9_client_xattrwalk
Function p9_client_xattrwalk accepts a pointer to u64-typed
variable attr_size and puts some u64 value into it. However,
after the executing the p9_client_xattrwalk, in some circumstances
we assign the value of u64-typed variable 'attr_size' to the
variable 'retval', which we will return. However, the type of
'retval' is ssize_t, and if the value of attr_size is larger
than SSIZE_MAX, we will face the signed type overflow. If the
overflow occurs, the result of v9fs_fid_xattr_get may be
negative, but not classified as an error. When we try to allocate
an acl with 'broken' size we receive an error, but don't process
it. When we try to free this acl, we face the 'wild-memory-access'
error (because it wasn't allocated).
This patch will add new condition to the 'v9fs_fid_xattr_get'
function, so it will return an EOVERFLOW error if the 'attr_size'
is larger than SSIZE_MAX.
In this version of the patch I simplified the condition.
In previous (v2) version of the patch I removed explicit type conversion
and added separate condition to check the possible overflow and return
an error (in v1 version I've just modified the existing condition).
Tested via syzkaller.
Suggested-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Reported-by: syzbot+cb1d16facb3cc90de5fb@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=fbbef66d9e4d096242f3617de5d14d12705b4659
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
2023-03-11 16:50:25 +04:00
if ( buffer_size )
2015-04-01 23:42:28 -04:00
retval = - ERANGE ;
9P FS: Fix wild-memory-access write in v9fs_get_acl
KASAN reported the following issue:
[ 36.825817][ T5923] BUG: KASAN: wild-memory-access in v9fs_get_acl+0x1a4/0x390
[ 36.827479][ T5923] Write of size 4 at addr 9fffeb37f97f1c00 by task syz-executor798/5923
[ 36.829303][ T5923]
[ 36.829846][ T5923] CPU: 0 PID: 5923 Comm: syz-executor798 Not tainted 6.2.0-syzkaller-18302-g596b6b709632 #0
[ 36.832110][ T5923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
[ 36.834464][ T5923] Call trace:
[ 36.835196][ T5923] dump_backtrace+0x1c8/0x1f4
[ 36.836229][ T5923] show_stack+0x2c/0x3c
[ 36.837100][ T5923] dump_stack_lvl+0xd0/0x124
[ 36.838103][ T5923] print_report+0xe4/0x4c0
[ 36.839068][ T5923] kasan_report+0xd4/0x130
[ 36.840052][ T5923] kasan_check_range+0x264/0x2a4
[ 36.841199][ T5923] __kasan_check_write+0x2c/0x3c
[ 36.842216][ T5923] v9fs_get_acl+0x1a4/0x390
[ 36.843232][ T5923] v9fs_mount+0x77c/0xa5c
[ 36.844163][ T5923] legacy_get_tree+0xd4/0x16c
[ 36.845173][ T5923] vfs_get_tree+0x90/0x274
[ 36.846137][ T5923] do_new_mount+0x25c/0x8c8
[ 36.847066][ T5923] path_mount+0x590/0xe58
[ 36.848147][ T5923] __arm64_sys_mount+0x45c/0x594
[ 36.849273][ T5923] invoke_syscall+0x98/0x2c0
[ 36.850421][ T5923] el0_svc_common+0x138/0x258
[ 36.851397][ T5923] do_el0_svc+0x64/0x198
[ 36.852398][ T5923] el0_svc+0x58/0x168
[ 36.853224][ T5923] el0t_64_sync_handler+0x84/0xf0
[ 36.854293][ T5923] el0t_64_sync+0x190/0x194
Calling '__v9fs_get_acl' method in 'v9fs_get_acl' creates the
following chain of function calls:
__v9fs_get_acl
v9fs_fid_get_acl
v9fs_fid_xattr_get
p9_client_xattrwalk
Function p9_client_xattrwalk accepts a pointer to u64-typed
variable attr_size and puts some u64 value into it. However,
after the executing the p9_client_xattrwalk, in some circumstances
we assign the value of u64-typed variable 'attr_size' to the
variable 'retval', which we will return. However, the type of
'retval' is ssize_t, and if the value of attr_size is larger
than SSIZE_MAX, we will face the signed type overflow. If the
overflow occurs, the result of v9fs_fid_xattr_get may be
negative, but not classified as an error. When we try to allocate
an acl with 'broken' size we receive an error, but don't process
it. When we try to free this acl, we face the 'wild-memory-access'
error (because it wasn't allocated).
This patch will add new condition to the 'v9fs_fid_xattr_get'
function, so it will return an EOVERFLOW error if the 'attr_size'
is larger than SSIZE_MAX.
In this version of the patch I simplified the condition.
In previous (v2) version of the patch I removed explicit type conversion
and added separate condition to check the possible overflow and return
an error (in v1 version I've just modified the existing condition).
Tested via syzkaller.
Suggested-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Reported-by: syzbot+cb1d16facb3cc90de5fb@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=fbbef66d9e4d096242f3617de5d14d12705b4659
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
2023-03-11 16:50:25 +04:00
else if ( attr_size > SSIZE_MAX )
retval = - EOVERFLOW ;
else /* request to get the attr_size */
retval = attr_size ;
2015-04-01 23:42:28 -04:00
} else {
iov_iter_truncate ( & to , attr_size ) ;
retval = p9_client_read ( attr_fid , 0 , & to , & err ) ;
if ( err )
retval = err ;
2010-05-31 13:22:56 +05:30
}
2022-06-12 13:42:32 +09:00
p9_fid_put ( attr_fid ) ;
2010-05-31 13:22:56 +05:30
return retval ;
}
2010-09-28 00:27:39 +05:30
/*
* v9fs_xattr_get ( )
*
* Copy an extended attribute into the buffer
* provided , or compute the buffer size required .
* Buffer is NULL to compute the size of the buffer required .
*
* Returns a negative error number on failure , or the number of bytes
* used / required on success .
*/
ssize_t v9fs_xattr_get ( struct dentry * dentry , const char * name ,
void * buffer , size_t buffer_size )
{
struct p9_fid * fid ;
2020-09-23 22:11:46 +08:00
int ret ;
2010-09-28 00:27:39 +05:30
2011-11-28 10:40:46 -08:00
p9_debug ( P9_DEBUG_VFS , " name = %s value_len = %zu \n " ,
name , buffer_size ) ;
2010-09-28 00:27:39 +05:30
fid = v9fs_fid_lookup ( dentry ) ;
if ( IS_ERR ( fid ) )
return PTR_ERR ( fid ) ;
2020-09-23 22:11:46 +08:00
ret = v9fs_fid_xattr_get ( fid , name , buffer , buffer_size ) ;
2022-06-12 13:42:32 +09:00
p9_fid_put ( fid ) ;
2010-09-28 00:27:39 +05:30
2020-09-23 22:11:46 +08:00
return ret ;
2010-09-28 00:27:39 +05:30
}
2010-05-31 13:22:56 +05:30
/*
* v9fs_xattr_set ( )
*
* Create , replace or remove an extended attribute for this inode . Buffer
* is NULL to remove an existing extended attribute , and non - NULL to
* either replace an existing extended attribute , or create a new extended
* attribute . The flags XATTR_REPLACE and XATTR_CREATE
* specify that an extended attribute must exist and must not exist
* previous to the call , respectively .
*
* Returns 0 , or a negative error number on failure .
*/
int v9fs_xattr_set ( struct dentry * dentry , const char * name ,
const void * value , size_t value_len , int flags )
2013-01-31 12:34:58 -05:00
{
2020-09-23 22:11:46 +08:00
int ret ;
struct p9_fid * fid ;
fid = v9fs_fid_lookup ( dentry ) ;
if ( IS_ERR ( fid ) )
return PTR_ERR ( fid ) ;
ret = v9fs_fid_xattr_set ( fid , name , value , value_len , flags ) ;
2022-06-12 13:42:32 +09:00
p9_fid_put ( fid ) ;
2020-09-23 22:11:46 +08:00
return ret ;
2013-01-31 12:34:58 -05:00
}
int v9fs_fid_xattr_set ( struct p9_fid * fid , const char * name ,
const void * value , size_t value_len , int flags )
2010-05-31 13:22:56 +05:30
{
2015-04-01 20:17:51 -04:00
struct kvec kvec = { . iov_base = ( void * ) value , . iov_len = value_len } ;
struct iov_iter from ;
2018-07-25 11:13:16 +08:00
int retval , err ;
2015-04-01 20:17:51 -04:00
2022-09-15 20:25:47 -04:00
iov_iter_kvec ( & from , ITER_SOURCE , & kvec , 1 , value_len ) ;
2010-05-31 13:22:56 +05:30
2011-11-28 10:40:46 -08:00
p9_debug ( P9_DEBUG_VFS , " name = %s value_len = %zu flags = %d \n " ,
name , value_len , flags ) ;
2010-05-31 13:22:56 +05:30
2013-01-31 12:34:58 -05:00
/* Clone it */
2016-08-03 11:12:12 -04:00
fid = clone_fid ( fid ) ;
2013-01-31 12:34:58 -05:00
if ( IS_ERR ( fid ) )
return PTR_ERR ( fid ) ;
2010-05-31 13:22:56 +05:30
/*
* On success fid points to xattr
*/
retval = p9_client_xattrcreate ( fid , name , value_len , flags ) ;
2015-04-01 20:17:51 -04:00
if ( retval < 0 )
2011-11-28 10:40:46 -08:00
p9_debug ( P9_DEBUG_VFS , " p9_client_xattrcreate failed %d \n " ,
retval ) ;
2015-04-01 20:17:51 -04:00
else
p9_client_write ( fid , 0 , & from , & retval ) ;
2022-06-12 13:42:32 +09:00
err = p9_fid_put ( fid ) ;
2018-07-25 11:13:16 +08:00
if ( ! retval & & err )
retval = err ;
2013-10-21 16:47:58 -03:00
return retval ;
2010-05-31 13:22:56 +05:30
}
ssize_t v9fs_listxattr ( struct dentry * dentry , char * buffer , size_t buffer_size )
{
return v9fs_xattr_get ( dentry , NULL , buffer , buffer_size ) ;
}
2015-10-04 19:18:52 +02:00
static int v9fs_xattr_handler_get ( const struct xattr_handler * handler ,
2016-04-10 20:48:24 -04:00
struct dentry * dentry , struct inode * inode ,
const char * name , void * buffer , size_t size )
2015-10-04 19:18:52 +02:00
{
const char * full_name = xattr_full_name ( handler , name ) ;
return v9fs_xattr_get ( dentry , full_name , buffer , size ) ;
}
static int v9fs_xattr_handler_set ( const struct xattr_handler * handler ,
2023-01-13 12:49:23 +01:00
struct mnt_idmap * idmap ,
2016-05-27 10:19:30 -04:00
struct dentry * dentry , struct inode * inode ,
const char * name , const void * value ,
size_t size , int flags )
2015-10-04 19:18:52 +02:00
{
const char * full_name = xattr_full_name ( handler , name ) ;
return v9fs_xattr_set ( dentry , full_name , value , size , flags ) ;
}
static struct xattr_handler v9fs_xattr_user_handler = {
. prefix = XATTR_USER_PREFIX ,
. get = v9fs_xattr_handler_get ,
. set = v9fs_xattr_handler_set ,
} ;
static struct xattr_handler v9fs_xattr_trusted_handler = {
. prefix = XATTR_TRUSTED_PREFIX ,
. get = v9fs_xattr_handler_get ,
. set = v9fs_xattr_handler_set ,
} ;
# ifdef CONFIG_9P_FS_SECURITY
static struct xattr_handler v9fs_xattr_security_handler = {
. prefix = XATTR_SECURITY_PREFIX ,
. get = v9fs_xattr_handler_get ,
. set = v9fs_xattr_handler_set ,
} ;
# endif
2010-05-31 13:22:56 +05:30
const struct xattr_handler * v9fs_xattr_handlers [ ] = {
& v9fs_xattr_user_handler ,
2013-05-29 12:09:39 -07:00
& v9fs_xattr_trusted_handler ,
# ifdef CONFIG_9P_FS_SECURITY
& v9fs_xattr_security_handler ,
2010-09-28 00:27:39 +05:30
# endif
2010-05-31 13:22:56 +05:30
NULL
} ;