On Tue, Nov 20, 2018 at 6:36 AM Chandan Rajendra
<chandan@xxxxxxxxxxxxxxxxxx> wrote:
>
> On ppc64le, When a string with PAGE_SIZE - 1 (i.e. 64k-1) length is
> passed as a "filesystem type" argument to the mount(2) syscall,
> copy_mount_string() ends up allocating 64k (the PAGE_SIZE on ppc64le)
> worth of space for holding the string in kernel's address space.
>
> Later, in set_precision() (invoked by get_fs_type() ->
> __request_module() -> vsnprintf()), we end up assigning
> strlen(fs-type-string) i.e. 65535 as the
> value to 'struct printf_spec'->precision member. This field has a width
> of 16 bits and it is a signed data type. Hence an invalid value ends
> up getting assigned. This causes the "WARN_ONCE(spec->precision != prec,
> "precision %d too large", prec)" statement inside set_precision() to be
> executed.
>
> This commit fixes the bug by validating the length of the "filesystem
> type" argument passed to get_fs_type() function.
>
> Signed-off-by: Chandan Rajendra <chandan@xxxxxxxxxxxxxxxxxx>
> Reported-by: Abdul Haleem <abdhalee@xxxxxxxxxxxxxxxxxx>
> Suggested-by: Joe Perches <joe@xxxxxxxxxxx>
Acked-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
Al, please pick this up, it looks like a good sanity check and lack of
it is causing headaches for IBM QA.
Thanks,
Miklos
> ---
> fs/filesystems.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/filesystems.c b/fs/filesystems.c
> index 9135646e41ac..a61caf5b6ad3 100644
> --- a/fs/filesystems.c
> +++ b/fs/filesystems.c
> @@ -268,6 +268,9 @@ struct file_system_type *get_fs_type(const char *name)
> const char *dot = strchr(name, '.');
> int len = dot ? dot - name : strlen(name);
>
> + if (len >= PATH_MAX)
> + return NULL;
> +
> fs = __get_fs_type(name, len);
> if (!fs && (request_module("fs-%.*s", len, name) == 0)) {
> fs = __get_fs_type(name, len);
> --
> 2.19.1
>
