Jan Kara <jack@xxxxxxx> writes:
> When fat_encode_fh_nostale() encodes file handle without a parent it
> stores only first 10 bytes of the file handle. However the length of the
> file handle must be a multiple of 4 so the file handle is actually 12
> bytes long and the last two bytes remain uninitialized. This is not
> great at we potentially leak uninitialized information with the handle
> to userspace. Properly initialize the full handle length.
>
> Reported-by: syzbot+3ce5dea5b1539ff36769@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: ea3983ace6b7 ("fat: restructure export_operations")
> Signed-off-by: Jan Kara <jack@xxxxxxx>
We can clean up more though, the fix itself looks good. Thanks.
Acked-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
> ---
> fs/fat/nfs.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/fs/fat/nfs.c b/fs/fat/nfs.c
> index c52e63e10d35..509eea96a457 100644
> --- a/fs/fat/nfs.c
> +++ b/fs/fat/nfs.c
> @@ -130,6 +130,12 @@ fat_encode_fh_nostale(struct inode *inode, __u32 *fh, int *lenp,
> fid->parent_i_gen = parent->i_generation;
> type = FILEID_FAT_WITH_PARENT;
> *lenp = FAT_FID_SIZE_WITH_PARENT;
> + } else {
> + /*
> + * We need to initialize this field because the fh is actually
> + * 12 bytes long
> + */
> + fid->parent_i_pos_hi = 0;
> }
>
> return type;
--
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
