Patch "do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak" has been added to the 6.8-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1abeb6f00936dad1cea929fc81affc9132d05504
Author: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
Date:   Fri Jan 19 07:39:06 2024 -0800

    do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
    
    [ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ]
    
    syzbot identified a kernel information leak vulnerability in
    do_sys_name_to_handle() and issued the following report [1].
    
    [1]
    "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
     instrument_copy_to_user include/linux/instrumented.h:114 [inline]
     _copy_to_user+0xbc/0x100 lib/usercopy.c:40
     copy_to_user include/linux/uaccess.h:191 [inline]
     do_sys_name_to_handle fs/fhandle.c:73 [inline]
     __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
     __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
     __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
     ...
    
    Uninit was created at:
     slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
     slab_alloc_node mm/slub.c:3478 [inline]
     __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
     __do_kmalloc_node mm/slab_common.c:1006 [inline]
     __kmalloc+0x121/0x3c0 mm/slab_common.c:1020
     kmalloc include/linux/slab.h:604 [inline]
     do_sys_name_to_handle fs/fhandle.c:39 [inline]
     __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
     __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
     __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
     ...
    
    Bytes 18-19 of 20 are uninitialized
    Memory access of size 20 starts at ffff888128a46380
    Data copied to user address 0000000020000240"
    
    Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to
    solve the problem.
    
    Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support")
    Suggested-by: Chuck Lever III <chuck.lever@xxxxxxxxxx>
    Reported-and-tested-by: <syzbot+09b349b3066c2e0b1e96@xxxxxxxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@xxxxxxxxxx
    Reviewed-by: Jan Kara <jack@xxxxxxx>
    Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/fhandle.c b/fs/fhandle.c
index 18b3ba8dc8ead..57a12614addfd 100644
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -36,7 +36,7 @@ static long do_sys_name_to_handle(const struct path *path,
 	if (f_handle.handle_bytes > MAX_HANDLE_SZ)
 		return -EINVAL;
 
-	handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes,
+	handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes,
 			 GFP_KERNEL);
 	if (!handle)
 		return -ENOMEM;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux