+ coda-potential-buffer-overflow-in-coda_psdev_write.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Fri, 17 May 2019 16:54:15 -0700

The patch titled
     Subject: coda: potential buffer overflow in coda_psdev_write()
has been added to the -mm tree.  Its filename is
     coda-potential-buffer-overflow-in-coda_psdev_write.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/coda-potential-buffer-overflow-in-coda_psdev_write.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/coda-potential-buffer-overflow-in-coda_psdev_write.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Jan Harkes <jaharkes@xxxxxxxxxx>
Subject: coda: potential buffer overflow in coda_psdev_write()

Add checks to make sure the downcall message we got from the Coda cache
manager is large enough to contain the data it is supposed to have.  i.e. 
when we get a CODA_ZAPDIR we can access &out->coda_zapdir.CodaFid.

Link: http://lkml.kernel.org/r/894fb6b250add09e4e3935f14649f21284a5cb18.1558117389.git.jaharkes@xxxxxxxxxx
Signed-off-by: Jan Harkes <jaharkes@xxxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: Arnd Bergmann <arnd@xxxxxxxx>
Cc: Colin Ian King <colin.king@xxxxxxxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Fabian Frederick <fabf@xxxxxxxxx>
Cc: Mikko Rapeli <mikko.rapeli@xxxxxx>
Cc: Sam Protsenko <semen.protsenko@xxxxxxxxxx>
Cc: Yann Droneaud <ydroneaud@xxxxxxxxxx>
Cc: Zhouyang Jia <jiazhouyang09@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/coda/psdev.c            |    8 ++++++--
 fs/coda/upcall.c           |   34 +++++++++++++++++++++++++++++++++-
 include/linux/coda_psdev.h |    3 ++-
 3 files changed, 41 insertions(+), 4 deletions(-)

--- a/fs/coda/psdev.c~coda-potential-buffer-overflow-in-coda_psdev_write
+++ a/fs/coda/psdev.c
@@ -104,8 +104,12 @@ static ssize_t coda_psdev_write(struct f
 	ssize_t retval = 0, count = 0;
 	int error;
 
+	/* make sure there is enough to copy out the (opcode, unique) values */
+	if (nbytes < (2 * sizeof(u_int32_t)))
+		return -EINVAL;
+
         /* Peek at the opcode, uniquefier */
-	if (copy_from_user(&hdr, buf, 2 * sizeof(u_long)))
+	if (copy_from_user(&hdr, buf, 2 * sizeof(u_int32_t)))
 	        return -EFAULT;
 
         if (DOWNCALL(hdr.opcode)) {
@@ -131,7 +135,7 @@ static ssize_t coda_psdev_write(struct f
 		}
 
 		/* what downcall errors does Venus handle ? */
-		error = coda_downcall(vcp, hdr.opcode, dcbuf);
+		error = coda_downcall(vcp, hdr.opcode, dcbuf, nbytes);
 
 		CODA_FREE(dcbuf, nbytes);
 		if (error) {
--- a/fs/coda/upcall.c~coda-potential-buffer-overflow-in-coda_psdev_write
+++ a/fs/coda/upcall.c
@@ -804,12 +804,44 @@ exit:
  *
  * CODA_REPLACE -- replace one CodaFid with another throughout the name cache */
 
-int coda_downcall(struct venus_comm *vcp, int opcode, union outputArgs *out)
+int coda_downcall(struct venus_comm *vcp, int opcode, union outputArgs *out,
+		  size_t nbytes)
 {
 	struct inode *inode = NULL;
 	struct CodaFid *fid = NULL, *newfid;
 	struct super_block *sb;
 
+	/*
+	 * Make sure we have received enough data from the cache
+	 * manager to populate the necessary fields in the buffer
+	 */
+	switch (opcode) {
+	case CODA_PURGEUSER:
+		if (nbytes < sizeof(struct coda_purgeuser_out))
+			return -EINVAL;
+		break;
+
+	case CODA_ZAPDIR:
+		if (nbytes < sizeof(struct coda_zapdir_out))
+			return -EINVAL;
+		break;
+
+	case CODA_ZAPFILE:
+		if (nbytes < sizeof(struct coda_zapfile_out))
+			return -EINVAL;
+		break;
+
+	case CODA_PURGEFID:
+		if (nbytes < sizeof(struct coda_purgefid_out))
+			return -EINVAL;
+		break;
+
+	case CODA_REPLACE:
+		if (nbytes < sizeof(struct coda_replace_out))
+			return -EINVAL;
+		break;
+	}
+
 	/* Handle invalidation requests. */
 	mutex_lock(&vcp->vc_mutex);
 	sb = vcp->vc_sb;
--- a/include/linux/coda_psdev.h~coda-potential-buffer-overflow-in-coda_psdev_write
+++ a/include/linux/coda_psdev.h
@@ -71,7 +71,8 @@ int venus_symlink(struct super_block *sb
 int venus_access(struct super_block *sb, struct CodaFid *fid, int mask);
 int venus_pioctl(struct super_block *sb, struct CodaFid *fid,
 		 unsigned int cmd, struct PioctlData *data);
-int coda_downcall(struct venus_comm *vcp, int opcode, union outputArgs *out);
+int coda_downcall(struct venus_comm *vcp, int opcode, union outputArgs *out,
+		  size_t nbytes);
 int venus_fsync(struct super_block *sb, struct CodaFid *fid);
 int venus_statfs(struct dentry *dentry, struct kstatfs *sfs);
 
_

Patches currently in -mm which might be from jaharkes@xxxxxxxxxx are

coda-pass-the-host-file-in-vma-vm_file-on-mmap.patch
coda-potential-buffer-overflow-in-coda_psdev_write.patch
coda-dont-try-to-print-names-that-were-considered-too-long.patch
uapi-linux-coda_psdevh-move-coda_req_-from-uapi-to-kernel-side-headers.patch
coda-change-codas-user-api-to-use-64-bit-time_t-in-timespec.patch
coda-bump-module-version.patch
coda-remove-uapi-linux-coda_psdevh.patch







