Re: [PATCH 6.6/6.1] fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 25 Nov 2024 10:20:57 -0500

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 7f7b850689ac06a62befe26e1fd1806799e7f152

WARNING: Author mismatch between patch and upstream commit:
Backport author: Xiangyu Chen <xiangyu.chen@xxxxxxxxxxxxxxxxx>
Commit author: Li Zhijian <lizhijian@xxxxxxxxxxx>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (different SHA1: ef921bc72328)
6.6.y | Not found

Note: The patch differs from the upstream commit:
---

--- -	2024-11-25 09:34:22.550930390 -0500
+++ /tmp/tmp.KhG7yJ4lZP	2024-11-25 09:34:22.544724589 -0500
@@ -1,3 +1,5 @@
+[ Upstream commit 7f7b850689ac06a62befe26e1fd1806799e7f152 ]
+
 It's observed that a crash occurs during hot-remove a memory device,
 in which user is accessing the hugetlb. See calltrace as following:
 
@@ -87,15 +89,19 @@
 Link: https://lore.kernel.org/r/20240826055503.1522320-1-lizhijian@xxxxxxxxxxx
 Reviewed-by: Jan Kara <jack@xxxxxxx>
 Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
+Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
+[Xiangyu: Bp to fix CVE: CVE-2024-49934, modified strscpy step due to 6.1/6.6 need pass
+the max len to strscpy]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@xxxxxxxxxxxxx>
 ---
  fs/inode.c | 10 +++++++---
  1 file changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/fs/inode.c b/fs/inode.c
-index aacd05749c1f8..af78f515403f3 100644
+index 9cafde77e2b0..030e07b169c2 100644
 --- a/fs/inode.c
 +++ b/fs/inode.c
-@@ -616,6 +616,7 @@ void dump_mapping(const struct address_space *mapping)
+@@ -593,6 +593,7 @@ void dump_mapping(const struct address_space *mapping)
  	struct hlist_node *dentry_first;
  	struct dentry *dentry_ptr;
  	struct dentry dentry;
@@ -103,12 +109,12 @@
  	unsigned long ino;
  
  	/*
-@@ -652,11 +653,14 @@ void dump_mapping(const struct address_space *mapping)
+@@ -628,11 +629,14 @@ void dump_mapping(const struct address_space *mapping)
  		return;
  	}
  
 +	if (strncpy_from_kernel_nofault(fname, dentry.d_name.name, 63) < 0)
-+		strscpy(fname, "<invalid>");
++		strscpy(fname, "<invalid>", 63);
  	/*
 -	 * if dentry is corrupted, the %pd handler may still crash,
 -	 * but it's unlikely that we reach here with a corrupt mapping
@@ -121,3 +127,6 @@
  }
  
  void clear_inode(struct inode *inode)
+-- 
+2.43.0
+
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |
| stable/linux-6.1.y        |  Success    |  Success   |







