On Mon, 2018-07-02 at 00:04 +0200, tomas wrote: > Hi, > > I've looked into this issue found by Syzbot and I made a patch: > > https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425b1163 Umm ... oops! Thanks for looking into this Tomas. > > > The autofs subsystem does not check that the "path" parameter is present > within the "param" struct passed by the userspace in case the > AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a > path is always provided (though a path is not always present, as per how > the struct is defined: > https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_dev-ioct > l.h#L89). > Skipping the check provokes an oob read in "strlen", called by > "getname_kernel", in turn called by the autofs to assess the length of > the non-existing path. > > To solve it, modify the "validate_dev_ioctl" function to check also that > a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD. > > > --- b/fs/autofs/dev-ioctl.c 2018-07-01 23:10:16.059728621 +0200 > +++ a/fs/autofs/dev-ioctl.c 2018-07-01 23:10:24.311792133 +0200 > @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s > goto out; > } > } > + /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */ > + else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD) > + return -EINVAL; My preference is to put the comment inside the else but ... There's another question, should the check be done in autofs_dev_ioctl_openmount() in the same way it's checked in other ioctls that need a path, such as in autofs_dev_ioctl_requester() and autofs_dev_ioctl_ismountpoint()? For consistency I'd say it should. > > err = 0; > out: > > > Tested and solves the issue on Linus' main git tree. > > Ian -- To unsubscribe from this list: send the line "unsubscribe autofs" in
