iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Nikita Zhandarovich c1362eae86 do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 
[ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ]

syzbot identified a kernel information leak vulnerability in
do_sys_name_to_handle() and issued the following report [1].

[1]
"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 do_sys_name_to_handle fs/fhandle.c:73 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 ...

Uninit was created at:
 slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0x121/0x3c0 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 do_sys_name_to_handle fs/fhandle.c:39 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 ...

Bytes 18-19 of 20 are uninitialized
Memory access of size 20 starts at ffff888128a46380
Data copied to user address 0000000020000240"

Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to
solve the problem.

Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support")
Suggested-by: Chuck Lever III <chuck.lever@oracle.com>
Reported-and-tested-by: <syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-26 18:19:15 -04:00
..
9p
9p: Fix initialisation of netfs_inode for 9p
2024-02-05 20:14:32 +00:00
adfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
affs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
afs
afs: Fix endless loop in directory parsing
2024-03-06 14:48:38 +00:00
autofs
v6.6-vfs.autofs
2023-08-28 11:39:14 -07:00
befs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
bfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
btrfs
btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
2024-03-26 18:19:13 -04:00
cachefiles
cachefiles: fix memory leak in cachefiles_add_cache()
2024-03-01 13:35:00 +01:00
ceph
ceph: switch to corrected encoding of max_xattr_size in mdsmap
2024-03-15 10:48:13 -04:00
coda
v6.6-vfs.ctime
2023-08-28 09:31:32 -07:00
configfs
configfs: convert to ctime accessor functions
2023-07-13 10:28:05 +02:00
cramfs
v6.6-vfs.super
2023-08-28 11:04:18 -07:00
crypto
debugfs
debugfs: fix automount d_fsdata usage
2024-01-20 11:51:37 +01:00
devpts
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
dlm
dlm: use kernel_connect() and kernel_bind()
2024-01-31 16:18:54 -08:00
ecryptfs
ecryptfs: Reject casefold directory inodes
2024-02-05 20:14:17 +00:00
efivarfs
efivarfs: Request at most 512 bytes for variable names
2024-03-06 14:48:41 +00:00
efs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
erofs
erofs: apply proper VMA alignment for memory mapped files on THP
2024-03-15 10:48:19 -04:00
exfat
exfat: support handle zero-size directory
2023-11-28 17:19:44 +00:00
exportfs
exportfs: remove kernel-doc warnings in exportfs
2023-08-29 17:45:22 -04:00
ext2
ext2: Fix ki_pos update for DIO buffered-io fallback case
2023-12-08 08:52:19 +01:00
ext4
ext4: correct the hole length returned by ext4_map_blocks()
2024-03-01 13:34:52 +01:00
f2fs
f2fs: fix to tag gcing flag on page during block migration
2024-02-05 20:14:28 +00:00
fat
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
freevxfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
fscache
netfs, fscache: Prevent Oops in fscache_put_cache()
2024-01-31 16:19:01 -08:00
fuse
fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
2023-12-20 17:01:52 +01:00
gfs2
gfs2: fix kernel BUG in gfs2_quota_cleanup
2024-01-25 15:35:17 -08:00
hfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hfsplus
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hostfs
hostfs: convert to ctime accessor functions
2023-07-24 10:30:00 +02:00
hpfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
hugetlbfs
mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
2024-02-23 09:25:16 +01:00
iomap
iomap: fix short copy in iomap_write_iter()
2023-10-19 09:41:36 -07:00
isofs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
jbd2
jbd2: fix soft lockup in journal_finish_inode_data_buffers()
2024-01-20 11:51:43 +01:00
jffs2
jffs2: convert to ctime accessor functions
2023-07-24 10:30:01 +02:00
jfs
jfs: fix array-index-out-of-bounds in diNewExt
2024-02-05 20:14:16 +00:00
kernfs
fs/kernfs/dir: obey S_ISGID
2024-02-05 20:14:32 +00:00
lockd
SUNRPC: Add enum svc_auth_status
2023-08-29 17:45:22 -04:00
minix
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
netfs
netfs: Only call folio_start_fscache() one time for each folio
2023-09-18 12:03:46 -07:00
nfs
NFS: Fix data corruption caused by congestion.
2024-03-06 14:48:42 +00:00
nfs_common
nfsd
nfsd: don't take fi_lock in nfsd_break_deleg_cb()
2024-02-23 09:25:25 +01:00
nilfs2
nilfs2: fix potential bug in end_buffer_async_write
2024-02-23 09:25:27 +01:00
nls
nls: Hide new NLS_UCS2_UTILS
2023-08-31 12:07:34 -05:00
notify
fanotify: limit reporting of event with non-decodeable file handles
2023-10-19 16:19:20 +02:00
ntfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
ntfs3
fs/ntfs3: fix build without CONFIG_NTFS3_LZX_XPRESS
2024-03-02 18:23:09 +01:00
ocfs2
Many ext4 and jbd2 cleanups and bug fixes for v6.6-rc1.
2023-08-31 15:18:15 -07:00
omfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
openpromfs
openpromfs: convert to ctime accessor functions
2023-07-24 10:30:03 +02:00
orangefs
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
overlayfs
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
proc
fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()
2024-02-23 09:25:17 +01:00
pstore
pstore/ram: Fix crash when setting number of cpus to an odd number
2024-02-05 20:14:16 +00:00
qnx4
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
qnx6
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
quota
quota: explicitly forbid quota files from being encrypted
2023-11-28 17:20:04 +00:00
ramfs
ramfs: convert to ctime accessor functions
2023-07-24 10:30:04 +02:00
reiserfs
reiserfs: Avoid touching renamed directory if parent does not change
2024-02-05 20:14:26 +00:00
romfs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
smb
ksmbd: fix wrong allocation size update in smb2_open()
2024-03-06 14:48:34 +00:00
squashfs
squashfs: convert to ctime accessor functions
2023-07-24 10:30:05 +02:00
sysfs
sysv
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
tracefs
eventfs: Keep all directory links at 1
2024-02-23 09:25:25 +01:00
ubifs
ubifs: fix possible dereference after free
2024-03-06 14:48:34 +00:00
udf
\n
2023-08-30 12:10:50 -07:00
ufs
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
unicode
vboxsf
v6.6-vfs.ctime
2023-08-28 09:31:32 -07:00
verity
fsverity: skip PKCS#7 parser when keyring is empty
2023-08-20 10:33:43 -07:00
xfs
xfs: respect the stable writes flag on the RT device
2024-02-16 19:10:46 +01:00
zonefs
zonefs: Improve error handling
2024-02-23 09:25:13 +01:00
aio.c
fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
2024-03-01 13:34:59 +01:00
anon_inodes.c
attr.c
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
bad_inode.c
fs: drop the timespec64 argument from update_time
2023-08-11 09:04:57 +02:00
binfmt_elf_fdpic.c
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
2023-09-29 17:20:45 -07:00
binfmt_elf_test.c
binfmt_elf.c
Merge branch 'expand-stack'
2023-06-28 20:35:21 -07:00
binfmt_flat.c
binfmt_misc.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
binfmt_script.c
buffer.c
iomap: add a workaround for racy i_size updates on block devices
2023-09-25 08:55:00 -07:00
char_dev.c
compat_binfmt_elf.c
coredump.c
v6.5/vfs.misc
2023-06-26 09:50:21 -07:00
d_path.c
dax.c
mm: convert DAX lock/unlock page to lock/unlock folio
2024-01-10 17:16:53 +01:00
dcache.c
fast_dput(): handle underflows gracefully
2024-02-05 20:14:26 +00:00
direct-io.c
- Yosry Ahmed brought back some cgroup v1 stats in OOM logs.
2023-06-28 10:28:11 -07:00
drop_caches.c
fs: drop_caches: draining pages before dropping caches
2023-08-18 10:12:11 -07:00
eventfd.c
eventfd: prevent underflow for eventfd semaphores
2023-07-11 11:41:34 +02:00
eventpoll.c
epoll: simplify ep_alloc()
2023-07-26 14:56:07 +02:00
exec.c
exec: Fix error handling in begin_new_exec()
2024-01-31 16:19:06 -08:00
fcntl.c
fcntl: Cast commands with int args explicitly
2023-07-10 14:36:11 +02:00
fhandle.c
do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
2024-03-26 18:19:15 -04:00
file_table.c
fs: use __fput_sync in close(2)
2023-08-08 19:36:51 +02:00
file.c
v6.6-vfs.misc
2023-08-28 10:17:14 -07:00
filesystems.c
fs_context.c
fs: factor out vfs_parse_monolithic_sep() helper
2023-10-12 18:53:36 +03:00
fs_parser.c
fs_pin.c
fs_struct.c
kill do_each_thread()
2023-08-21 13:46:25 -07:00
fs_types.c
fs-writeback.c
writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
2023-11-20 11:58:52 +01:00
fsopen.c
fs: add FSCONFIG_CMD_CREATE_EXCL
2023-08-14 18:48:02 +02:00
init.c
inode.c
filemap: add a per-mapping stable writes flag
2023-12-03 07:33:03 +01:00
internal.h
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
ioctl.c
lsm: new security_file_ioctl_compat() hook
2024-01-31 16:18:54 -08:00
Kconfig
for-6.6/block-2023-08-28
2023-08-29 20:21:42 -07:00
Kconfig.binfmt
riscv: support the elf-fdpic binfmt loader
2023-08-23 14:17:43 -07:00
kernel_read_file.c
fs: Fix kernel-doc warnings
2023-08-19 12:12:12 +02:00
libfs.c
fs: new accessor methods for atime and mtime
2024-01-05 15:19:40 +01:00
locks.c
NFSD 6.6 Release Notes
2023-08-31 15:32:18 -07:00
Makefile
fs: add CONFIG_BUFFER_HEAD
2023-08-02 09:13:09 -06:00
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c
rename(): fix the locking of subdirectories
2024-01-31 16:18:57 -08:00
namespace.c
fs: relax mount_setattr() permission checks
2024-02-23 09:25:15 +01:00
nsfs.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
open.c
cred: get rid of CONFIG_DEBUG_CREDENTIALS
2023-12-20 17:01:51 +01:00
pipe.c
pipe: wakeup wr_wait after setting max_usage
2024-01-31 16:19:09 -08:00
pnode.c
pnode.h
posix_acl.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
proc_namespace.c
read_write.c
fs: Fix one kernel-doc comment
2023-08-15 08:32:45 +02:00
readdir.c
vfs: get rid of old '->iterate' directory operation
2023-08-06 15:08:35 +02:00
remap_range.c
select.c
seq_file.c
signalfd.c
splice.c
- Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list")
2023-08-29 14:25:26 -07:00
stack.c
fs: convert to ctime accessor functions
2023-07-13 10:28:04 +02:00
stat.c
fs: Pass AT_GETATTR_NOSEC flag to getattr interface function
2023-12-03 07:33:03 +01:00
statfs.c
super.c
fs: export sget_dev()
2023-08-31 12:47:15 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c
mm: userfaultfd: remove stale comment about core dump locking
2023-08-24 16:20:27 -07:00
utimes.c
xattr.c
tmpfs,xattr: GFP_KERNEL_ACCOUNT for simple xattrs
2023-08-22 10:57:46 +02:00