| Message ID | 20231112095353.579855-1-debug.penguin32@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b909:0:b0:403:3b70:6f57 with SMTP id t9csp621471vqg;
Sun, 12 Nov 2023 01:58:12 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHkZdY/NpL0bAY/WqY6he7NSAQnh/husldY8SaNfeCQa9Ca1yD6elJ2syIuE6KwDvX/H4b/
X-Received: by 2002:a17:902:9045:b0:1cc:ec22:5a40 with SMTP id
w5-20020a170902904500b001ccec225a40mr4035041plz.26.1699783091782;
Sun, 12 Nov 2023 01:58:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1699783091; cv=none;
d=google.com; s=arc-20160816;
b=K15Qr89cvh8laNI4R7NeX0HED03yaGJF/yPFgiVs4olAROljAn+u1QD/ozpWin8+et
VKM43phJl/xHGDAWIgV7MNBGyx0/JSe+dS1yPST5OEJdrP0yzgebM1AxMszJX1eL9UFb
R+x2SGdR2aCYTuuP5h3Zzk6AtOMKQ/FIXZW7Jvv8WtNXByfiBQdaSNHFmwcwN0jdxu7R
lzHG9H1BEEB8OjdO7gzGbOxEKhLDlLNsSExPTMMEVloCl2sMT1RHP2udZ5yO4AEpRnd4
2f2t6vXrwb40r8Y12j4op9qHPC68pYQbD18iB46Jn1BkT3lhDNdyLPktt13+st5oAtZk
s7ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=4Y+xqbrN1WZa/CB0XAzBxnbgNyp0CPoCcb3whiJBwOM=;
fh=z8D9ZX+JyW60zWrorM8OuGarIUTxEhVQGWpnAlSOqB8=;
b=D36CqNM0oUEEh9L1wHA/sAMMGYCsEO5mUK/GWAC046zl/0iECDLMYDfPy4/OEDdELQ
ahbhGW6CjInmWnNjwzUTGmAqaVqT7mtaUgHFxnwYrRDQajiok1arTNtoR/qb5BHpOlxc
/Uc6D7h7vFySDCRPyLDsjYxHUORXCLV5ERHDAhvLhZchQYIukpIglx08bb3TYBZOtlYu
VSb3IwmvAig9x55kd+KlnWAmHWWl03vreq2pvpQ30asugwzkfFnjYABDp5R5tA855rmW
r0v3GHzNc87J5i0ZnWXARWaRl/B/FCdp+pbvwuU4MzG9LzSDnn51CR9GluQqsxwKAPKq
vgkQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=h1tmaTEa;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
by mx.google.com with ESMTPS id
w12-20020a170902d3cc00b001c9dfd47959si3199392plb.602.2023.11.12.01.58.11
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 12 Nov 2023 01:58:11 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=h1tmaTEa;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id 06C2A80BE2EA;
Sun, 12 Nov 2023 01:58:11 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230195AbjKLJyi (ORCPT <rfc822;lhua1029@gmail.com> + 30 others);
Sun, 12 Nov 2023 04:54:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33220 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229441AbjKLJyh (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 12 Nov 2023 04:54:37 -0500
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com
[IPv6:2a00:1450:4864:20::32b])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E28A2D62;
Sun, 12 Nov 2023 01:54:34 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id
5b1f17b1804b1-4079ed65471so28067715e9.1;
Sun, 12 Nov 2023 01:54:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1699782873; x=1700387673;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=4Y+xqbrN1WZa/CB0XAzBxnbgNyp0CPoCcb3whiJBwOM=;
b=h1tmaTEap+cEWHjp0IT7aJ7J11vjnilX0zeP1BDNIx9ZauAd/GnQUWe5WtSe4NiuDs
S0dftR+z2qyfDZ2qgHyVZMtH6ZjPN+cwsYoaUEZ4Rf7pC3xrfrZGioP/Z0hlgCUk8eO5
uRXRI45/1JXHUFmy/HQAc0ObgwxNLB5bkFdGcxNIJhSOjyecMixAV+t9upAw8ql5iRGg
1gtlGPcpy5hC0P7QRpgvJxcQ9hp2caKoBWbwN7QbM60USDQusONerNkmYXO8XhQswzF9
tXZgRyfAKIOUbX48heQVBm3tWOu3TS10d3G3uEfIa/s+JYkdCWEFjORchr+3odCQHqqW
WI3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1699782873; x=1700387673;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=4Y+xqbrN1WZa/CB0XAzBxnbgNyp0CPoCcb3whiJBwOM=;
b=adOumkhkKkF8WrxHMGy1oTPjoNczzSgsBfm1JL0wqw8aAdH5MceldBr+MJOrhPzOs5
xD7u7Xqa8Gv9GBIPGddgezCcaYE5D5xYvDXVjYXbs7VW063KPP0iGo/a1WaF5lNCxMUB
UiztQ/XCSeVOHExO62kSWjQJ8x80BazhdW7b+8mqSWyf7p/bgdj0vSEgib1vrqnNI/N0
RUuhdnZx7kP0GKOIR38V0rvqNYFq+qH5DtCCs4NsAu6ZjVIlMwF/fnOUiu8WBgp8wVlv
cNUvz1yxfRnZ4yHrofKTLl9kv4CRP86iMZJE1YxicllXCVzAXHfsM3tBR09Xb4XKaRsr
gvVA==
X-Gm-Message-State: AOJu0YwvGTscYj+7tgoaOtPXjjTixk6d8aEWKV5OtcRIGB9F9ylyzpoo
cx+syQ0BcFylzWfqVS5Lozc=
X-Received: by 2002:a05:600c:d8:b0:405:4a78:a890 with SMTP id
u24-20020a05600c00d800b004054a78a890mr3175157wmm.8.1699782872537;
Sun, 12 Nov 2023 01:54:32 -0800 (PST)
Received: from eagle-5590.. ([91.196.221.26])
by smtp.gmail.com with ESMTPSA id
w23-20020a05600c2a1700b003fe23b10fdfsm10200942wme.36.2023.11.12.01.54.28
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 12 Nov 2023 01:54:32 -0800 (PST)
From: Ronald Monthero <debug.penguin32@gmail.com>
To: al@alarsen.net
Cc: keescook@chromium.org, gustavoars@kernel.org,
Ronald Monthero <debug.penguin32@gmail.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] qnx4: fix to avoid panic due to buffer overflow
Date: Sun, 12 Nov 2023 19:53:53 +1000
Message-Id: <20231112095353.579855-1-debug.penguin32@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
FREEMAIL_FROM,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Sun, 12 Nov 2023 01:58:11 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1782351755182229540
X-GMAIL-MSGID: 1782351755182229540
|
| Series |
qnx4: fix to avoid panic due to buffer overflow
|
|
Commit Message
Ronald Monthero
Nov. 12, 2023, 9:53 a.m. UTC
qnx4 dir name length can vary to be of maximum size
QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether
'link info' entry is stored and the status byte is set.
So to avoid buffer overflow check di_fname length
fetched from (struct qnx4_inode_entry *)
before use in strlen to avoid buffer overflow.
panic context
[ 4849.636861] detected buffer overflow in strlen
[ 4849.636897] ------------[ cut here ]------------
[ 4849.636902] kernel BUG at lib/string.c:1165!
[ 4849.636917] invalid opcode: 0000 [#2] SMP PTI
..
[ 4849.637047] Call Trace:
[ 4849.637053] <TASK>
[ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea
[ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637111] ? show_regs.part.0+0x23/0x29
[ 4849.637123] ? __die_body.cold+0x8/0xd
[ 4849.637135] ? __die+0x2b/0x37
[ 4849.637147] ? die+0x30/0x60
[ 4849.637161] ? do_trap+0xbe/0x100
[ 4849.637171] ? do_error_trap+0x6f/0xb0
[ 4849.637180] ? fortify_panic+0x13/0x15
[ 4849.637192] ? exc_invalid_op+0x53/0x70
[ 4849.637203] ? fortify_panic+0x13/0x15
[ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20
[ 4849.637228] ? fortify_panic+0x13/0x15
[ 4849.637240] ? fortify_panic+0x13/0x15
[ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4]
[ 4849.637275] __lookup_slow+0x85/0x150
[ 4849.637291] walk_component+0x145/0x1c0
[ 4849.637304] ? path_init+0x2c0/0x3f0
[ 4849.637316] path_lookupat+0x6e/0x1c0
[ 4849.637330] filename_lookup+0xcf/0x1d0
[ 4849.637341] ? __check_object_size+0x1d/0x30
[ 4849.637354] ? strncpy_from_user+0x44/0x150
[ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0
[ 4849.637375] user_path_at_empty+0x3f/0x60
[ 4849.637383] vfs_statx+0x7a/0x130
[ 4849.637393] do_statx+0x45/0x80
..
Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
---
fs/qnx4/namei.c | 7 +++++++
1 file changed, 7 insertions(+)
Comments
On 2023-11-12 10:53 Ronald Monthero wrote: > qnx4 dir name length can vary to be of maximum size > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > 'link info' entry is stored and the status byte is set. > So to avoid buffer overflow check di_fname length > fetched from (struct qnx4_inode_entry *) > before use in strlen to avoid buffer overflow. [snip] > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > --- > fs/qnx4/namei.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > index 8d72221735d7..825b891a52b3 100644 > --- a/fs/qnx4/namei.c > +++ b/fs/qnx4/namei.c > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > } else { > namelen = QNX4_SHORT_NAME_MAX; > } > + > + /** qnx4 dir name length can vary, check the di_fname > + * fetched from (struct qnx4_inode_entry *) before use in > + * strlen to avoid panic due to buffer overflow" > + */ > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > + return -ENAMETOOLONG; sizeof(de->di_fname) equals QNX4_SHORT_NAME_MAX, so this test fails as soon as a filename is longer than that! This quick fix (untested!) should do the trick (and avoids computing the length of the name twice): diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c index 8d72221735d7..7694f86fbb2e 100644 --- a/fs/qnx4/namei.c +++ b/fs/qnx4/namei.c @@ -40,9 +40,7 @@ static int qnx4_match(int len, const char *name, } else { namelen = QNX4_SHORT_NAME_MAX; } - thislen = strlen( de->di_fname ); - if ( thislen > namelen ) - thislen = namelen; + thislen = strnlen(de->di_fname, namelen); if (len != thislen) { return 0; } Cheers Anders
On Mon, Nov 13, 2023 at 2:16 AM Anders Larsen <al@alarsen.net> wrote: > > On 2023-11-12 10:53 Ronald Monthero wrote: > > qnx4 dir name length can vary to be of maximum size > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > > 'link info' entry is stored and the status byte is set. > > So to avoid buffer overflow check di_fname length > > fetched from (struct qnx4_inode_entry *) > > before use in strlen to avoid buffer overflow. > > [snip] > > > > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > > --- > > fs/qnx4/namei.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > index 8d72221735d7..825b891a52b3 100644 > > --- a/fs/qnx4/namei.c > > +++ b/fs/qnx4/namei.c > > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > > } else { > > namelen = QNX4_SHORT_NAME_MAX; > > } > > + > > + /** qnx4 dir name length can vary, check the di_fname > > + * fetched from (struct qnx4_inode_entry *) before use in > > + * strlen to avoid panic due to buffer overflow" > > + */ > > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > > + return -ENAMETOOLONG; > > sizeof(de->di_fname) equals QNX4_SHORT_NAME_MAX, so this test fails as soon as > a filename is longer than that! I suppose de->di_fname can be QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX isn't it ? It's set based on di_status, if di_status is set, then it will be QNX4_NAME_MAX and otherwise QNX4_SHORT_NAME_MAX. We capture that into namelen, prior to the string length check - if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) as below: de = (struct qnx4_inode_entry *) (bh->b_data + *offset); *offset += QNX4_DIR_ENTRY_SIZE; if ((de->di_status & QNX4_FILE_LINK) != 0) { namelen = QNX4_NAME_MAX; } else { namelen = QNX4_SHORT_NAME_MAX; } BR, Ron > This quick fix (untested!) should do the trick (and avoids computing the length > of the name twice): > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > index 8d72221735d7..7694f86fbb2e 100644 > --- a/fs/qnx4/namei.c > +++ b/fs/qnx4/namei.c > @@ -40,9 +40,7 @@ static int qnx4_match(int len, const char *name, > } else { > namelen = QNX4_SHORT_NAME_MAX; > } > - thislen = strlen( de->di_fname ); > - if ( thislen > namelen ) > - thislen = namelen; > + thislen = strnlen(de->di_fname, namelen); > if (len != thislen) { > return 0; > } > > Cheers > Anders > >
On 2023-11-13 10:25 Ronald Monthero wrote: > On Mon, Nov 13, 2023 at 2:16 AM Anders Larsen <al@alarsen.net> wrote: > > On 2023-11-12 10:53 Ronald Monthero wrote: > > > qnx4 dir name length can vary to be of maximum size > > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > > > 'link info' entry is stored and the status byte is set. > > > So to avoid buffer overflow check di_fname length > > > fetched from (struct qnx4_inode_entry *) > > > before use in strlen to avoid buffer overflow. > > > > [snip] > > > > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > > > --- > > > > > > fs/qnx4/namei.c | 7 +++++++ > > > 1 file changed, 7 insertions(+) > > > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > > index 8d72221735d7..825b891a52b3 100644 > > > --- a/fs/qnx4/namei.c > > > +++ b/fs/qnx4/namei.c > > > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > > > > > > } else { > > > > > > namelen = QNX4_SHORT_NAME_MAX; > > > > > > } > > > > > > + > > > + /** qnx4 dir name length can vary, check the di_fname > > > + * fetched from (struct qnx4_inode_entry *) before use in > > > + * strlen to avoid panic due to buffer overflow" > > > + */ > > > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > > > + return -ENAMETOOLONG; > > > > sizeof(de->di_fname) equals QNX4_SHORT_NAME_MAX, so this test fails as > > soon as a filename is longer than that! > > I suppose de->di_fname can be QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX isn't it > ? It's set based on di_status, if di_status is set, then it will be > QNX4_NAME_MAX and otherwise QNX4_SHORT_NAME_MAX. > We capture that into namelen, prior to the string length check - if > (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > as below: > > de = (struct qnx4_inode_entry *) (bh->b_data + *offset); > *offset += QNX4_DIR_ENTRY_SIZE; > if ((de->di_status & QNX4_FILE_LINK) != 0) { > namelen = QNX4_NAME_MAX; > } else { > namelen = QNX4_SHORT_NAME_MAX; > } > > BR, > Ron sizeof(de->di_fname) is evaluated as QNX4_SHORT_NAME_MAX already at compile time, see the definition of di_fname in uapi/linux/qnx4_fs.h I agree that the code is confusing, as 'de' is declared as a pointer to a struct qnx4_inode_entry but in reality points to a struct qnx4_link_info iff QNX4_FILE_LINK is set in de->di_status. (Note that the corresponding field dl_status in qnx4_link_info is at the same offset as di_status in qnx4_inode_entry - that's the disk layout.) > > This quick fix (untested!) should do the trick (and avoids computing the > > length of the name twice): > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > index 8d72221735d7..7694f86fbb2e 100644 > > --- a/fs/qnx4/namei.c > > +++ b/fs/qnx4/namei.c > > @@ -40,9 +40,7 @@ static int qnx4_match(int len, const char *name, > > } else { > > namelen = QNX4_SHORT_NAME_MAX; > > } > > - thislen = strlen( de->di_fname ); > > - if ( thislen > namelen ) > > - thislen = namelen; > > + thislen = strnlen(de->di_fname, namelen); > > if (len != thislen) { > > return 0; > > } Niek reported that this fix improved the situation, but he later got a crash, albeit at a different place (but still within the qnx4fs). Cheers Anders
On Tue, Nov 14, 2023 at 1:40 AM Anders Larsen <al@alarsen.net> wrote: > < Snipped> > > sizeof(de->di_fname) is evaluated as QNX4_SHORT_NAME_MAX already at compile > time, see the definition of di_fname in uapi/linux/qnx4_fs.h > > I agree that the code is confusing, as 'de' is declared as a pointer to a > struct qnx4_inode_entry but in reality points to a struct qnx4_link_info iff > QNX4_FILE_LINK is set in de->di_status. > (Note that the corresponding field dl_status in qnx4_link_info is at the same > offset as di_status in qnx4_inode_entry - that's the disk layout.) > Thanks for the details, yes in struct qnx4_inode_entry its size char di_fname[QNX4_SHORT_NAME_MAX]; < snipped> > > Niek reported that this fix improved the situation, but he later got a crash, > albeit at a different place (but still within the qnx4fs). Yes I saw that Niek has shared the second crash dump stack in above email thread and also in [1] Bugzilla 218111.The dump stack of the crash looks to be doing a similar lookup call context, do_statx => vfs_statx => filename_lookup => qn4x_lookup => fortify_panic ( ) [1] https://bugzilla.kernel.org/show_bug.cgi?id=218111#c4 But I also see a softlockup also in the dump stack, so something in their environment is causing softlock ups. And that tallies with the symptoms of system freeze that Niek mentioned " I can mount and view the directories, but after several hours my system froze up again." watchdog: BUG: soft lockup - CPU#7 stuck for 26s! [pool-gvfsd-admi:31952] <<<< It's possible the softlockups were occurring on fews of the CPUs on the system for a few hours before the crash occurred that caused a system slow down. BR, Ronald
On Sun, Nov 12, 2023 at 07:53:53PM +1000, Ronald Monthero wrote: > qnx4 dir name length can vary to be of maximum size > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > 'link info' entry is stored and the status byte is set. > So to avoid buffer overflow check di_fname length > fetched from (struct qnx4_inode_entry *) > before use in strlen to avoid buffer overflow. > > panic context > [ 4849.636861] detected buffer overflow in strlen > [ 4849.636897] ------------[ cut here ]------------ > [ 4849.636902] kernel BUG at lib/string.c:1165! > [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI > .. > [ 4849.637047] Call Trace: > [ 4849.637053] <TASK> > [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea > [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea > [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] > [ 4849.637111] ? show_regs.part.0+0x23/0x29 > [ 4849.637123] ? __die_body.cold+0x8/0xd > [ 4849.637135] ? __die+0x2b/0x37 > [ 4849.637147] ? die+0x30/0x60 > [ 4849.637161] ? do_trap+0xbe/0x100 > [ 4849.637171] ? do_error_trap+0x6f/0xb0 > [ 4849.637180] ? fortify_panic+0x13/0x15 > [ 4849.637192] ? exc_invalid_op+0x53/0x70 > [ 4849.637203] ? fortify_panic+0x13/0x15 > [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 > [ 4849.637228] ? fortify_panic+0x13/0x15 > [ 4849.637240] ? fortify_panic+0x13/0x15 > [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] > [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] > [ 4849.637275] __lookup_slow+0x85/0x150 > [ 4849.637291] walk_component+0x145/0x1c0 > [ 4849.637304] ? path_init+0x2c0/0x3f0 > [ 4849.637316] path_lookupat+0x6e/0x1c0 > [ 4849.637330] filename_lookup+0xcf/0x1d0 > [ 4849.637341] ? __check_object_size+0x1d/0x30 > [ 4849.637354] ? strncpy_from_user+0x44/0x150 > [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 > [ 4849.637375] user_path_at_empty+0x3f/0x60 > [ 4849.637383] vfs_statx+0x7a/0x130 > [ 4849.637393] do_statx+0x45/0x80 > .. > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > --- > fs/qnx4/namei.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > index 8d72221735d7..825b891a52b3 100644 > --- a/fs/qnx4/namei.c > +++ b/fs/qnx4/namei.c > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > } else { > namelen = QNX4_SHORT_NAME_MAX; > } > + > + /** qnx4 dir name length can vary, check the di_fname > + * fetched from (struct qnx4_inode_entry *) before use in > + * strlen to avoid panic due to buffer overflow" > + */ Style nit: this comment should start with just "/*" alone, like: /* * qnx4 dir name ... > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > + return -ENAMETOOLONG; > thislen = strlen( de->di_fname ); de->di_fname is: struct qnx4_inode_entry { char di_fname[QNX4_SHORT_NAME_MAX]; ... #define QNX4_SHORT_NAME_MAX 16 #define QNX4_NAME_MAX 48 It's always going to have a max of QNX4_SHORT_NAME_MAX. Is any of this code correct if namelen ends up being QNX4_NAME_MAX? It'll be reading past the end of di_fname. Is bh->b_data actually struct qnx4_inode_entry ? -Kees > if ( thislen > namelen ) > thislen = namelen; > -- > 2.34.1 >
On Thu, Nov 16, 2023 at 06:29:59AM -0800, Kees Cook wrote: > On Sun, Nov 12, 2023 at 07:53:53PM +1000, Ronald Monthero wrote: > > qnx4 dir name length can vary to be of maximum size > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > > 'link info' entry is stored and the status byte is set. > > So to avoid buffer overflow check di_fname length > > fetched from (struct qnx4_inode_entry *) > > before use in strlen to avoid buffer overflow. > > > > panic context > > [ 4849.636861] detected buffer overflow in strlen > > [ 4849.636897] ------------[ cut here ]------------ > > [ 4849.636902] kernel BUG at lib/string.c:1165! > > [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI > > .. > > [ 4849.637047] Call Trace: > > [ 4849.637053] <TASK> > > [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea > > [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea > > [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] > > [ 4849.637111] ? show_regs.part.0+0x23/0x29 > > [ 4849.637123] ? __die_body.cold+0x8/0xd > > [ 4849.637135] ? __die+0x2b/0x37 > > [ 4849.637147] ? die+0x30/0x60 > > [ 4849.637161] ? do_trap+0xbe/0x100 > > [ 4849.637171] ? do_error_trap+0x6f/0xb0 > > [ 4849.637180] ? fortify_panic+0x13/0x15 > > [ 4849.637192] ? exc_invalid_op+0x53/0x70 > > [ 4849.637203] ? fortify_panic+0x13/0x15 > > [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 > > [ 4849.637228] ? fortify_panic+0x13/0x15 > > [ 4849.637240] ? fortify_panic+0x13/0x15 > > [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] > > [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] > > [ 4849.637275] __lookup_slow+0x85/0x150 > > [ 4849.637291] walk_component+0x145/0x1c0 > > [ 4849.637304] ? path_init+0x2c0/0x3f0 > > [ 4849.637316] path_lookupat+0x6e/0x1c0 > > [ 4849.637330] filename_lookup+0xcf/0x1d0 > > [ 4849.637341] ? __check_object_size+0x1d/0x30 > > [ 4849.637354] ? strncpy_from_user+0x44/0x150 > > [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 > > [ 4849.637375] user_path_at_empty+0x3f/0x60 > > [ 4849.637383] vfs_statx+0x7a/0x130 > > [ 4849.637393] do_statx+0x45/0x80 > > .. > > > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > > --- > > fs/qnx4/namei.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > index 8d72221735d7..825b891a52b3 100644 > > --- a/fs/qnx4/namei.c > > +++ b/fs/qnx4/namei.c > > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > > } else { > > namelen = QNX4_SHORT_NAME_MAX; > > } > > + > > + /** qnx4 dir name length can vary, check the di_fname > > + * fetched from (struct qnx4_inode_entry *) before use in > > + * strlen to avoid panic due to buffer overflow" > > + */ > > Style nit: this comment should start with just "/*" alone, like: > > /* > * qnx4 dir name ... > > > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > > + return -ENAMETOOLONG; > > thislen = strlen( de->di_fname ); > > de->di_fname is: > > struct qnx4_inode_entry { > char di_fname[QNX4_SHORT_NAME_MAX]; > ... > > #define QNX4_SHORT_NAME_MAX 16 > #define QNX4_NAME_MAX 48 > > It's always going to have a max of QNX4_SHORT_NAME_MAX. Is any of this > code correct if namelen ends up being QNX4_NAME_MAX? It'll be reading > past the end of di_fname. > > Is bh->b_data actually struct qnx4_inode_entry ? Ah-ha, it looks like it's _not_: if (!(bh = qnx4_find_entry(len, dir, name, &de, &ino))) goto out; /* The entry is linked, let's get the real info */ if ((de->di_status & QNX4_FILE_LINK) == QNX4_FILE_LINK) { lnk = (struct qnx4_link_info *) de; It seems that entries may be either struct qnx4_inode_entry or struct qnx4_link_info but it's not captured in a union. This needs to be fixed by not lying to the compiler about what is there. How about this? diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c index 8d72221735d7..3cd20065bcfa 100644 --- a/fs/qnx4/namei.c +++ b/fs/qnx4/namei.c @@ -26,31 +26,39 @@ static int qnx4_match(int len, const char *name, struct buffer_head *bh, unsigned long *offset) { - struct qnx4_inode_entry *de; - int namelen, thislen; + union qnx4_dir_entry *de; + char *entry_fname; + int entry_len, entry_max_len; if (bh == NULL) { printk(KERN_WARNING "qnx4: matching unassigned buffer !\n"); return 0; } - de = (struct qnx4_inode_entry *) (bh->b_data + *offset); + de = (union qnx4_dir_entry *) (bh->b_data + *offset); *offset += QNX4_DIR_ENTRY_SIZE; - if ((de->di_status & QNX4_FILE_LINK) != 0) { - namelen = QNX4_NAME_MAX; - } else { - namelen = QNX4_SHORT_NAME_MAX; - } - thislen = strlen( de->di_fname ); - if ( thislen > namelen ) - thislen = namelen; - if (len != thislen) { + + switch (de->inode.di_status) { + case QNX4_FILE_LINK: + entry_fname = de->link.dl_fname; + entry_max_len = sizeof(de->link.dl_fname); + break; + case QNX4_FILE_USED: + entry_fname = de->inode.di_fname; + entry_max_len = sizeof(de->inode.di_fname); + break; + default: return 0; } - if (strncmp(name, de->di_fname, len) == 0) { - if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) != 0) { - return 1; - } - } + + /* Directory entry may not be %NUL-terminated. */ + entry_len = strnlen(entry_fname, entry_max_len); + + if (len != entry_len) + return 0; + + if (strncmp(name, entry_fname, len) == 0) + return 1; + return 0; } diff --git a/include/uapi/linux/qnx4_fs.h b/include/uapi/linux/qnx4_fs.h index 31487325d265..e033dbe1e009 100644 --- a/include/uapi/linux/qnx4_fs.h +++ b/include/uapi/linux/qnx4_fs.h @@ -68,6 +68,13 @@ struct qnx4_link_info { __u8 dl_status; }; +union qnx4_dir_entry { + struct qnx4_inode_entry inode; + struct qnx4_link_info link; +}; +_Static_assert(offsetof(struct qnx4_inode_entry, di_status) == + offsetof(struct qnx4_link_info, dl_status)); + struct qnx4_xblk { __le32 xblk_next_xblk; __le32 xblk_prev_xblk;
On 2023-11-16 15:58 Kees Cook wrote: > On Thu, Nov 16, 2023 at 06:29:59AM -0800, Kees Cook wrote: > > On Sun, Nov 12, 2023 at 07:53:53PM +1000, Ronald Monthero wrote: > > > qnx4 dir name length can vary to be of maximum size > > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether > > > 'link info' entry is stored and the status byte is set. > > > So to avoid buffer overflow check di_fname length > > > fetched from (struct qnx4_inode_entry *) > > > before use in strlen to avoid buffer overflow. > > > > > > panic context > > > [ 4849.636861] detected buffer overflow in strlen > > > [ 4849.636897] ------------[ cut here ]------------ > > > [ 4849.636902] kernel BUG at lib/string.c:1165! > > > [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI > > > .. > > > [ 4849.637047] Call Trace: > > > [ 4849.637053] <TASK> > > > [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea > > > [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea > > > [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] > > > [ 4849.637111] ? show_regs.part.0+0x23/0x29 > > > [ 4849.637123] ? __die_body.cold+0x8/0xd > > > [ 4849.637135] ? __die+0x2b/0x37 > > > [ 4849.637147] ? die+0x30/0x60 > > > [ 4849.637161] ? do_trap+0xbe/0x100 > > > [ 4849.637171] ? do_error_trap+0x6f/0xb0 > > > [ 4849.637180] ? fortify_panic+0x13/0x15 > > > [ 4849.637192] ? exc_invalid_op+0x53/0x70 > > > [ 4849.637203] ? fortify_panic+0x13/0x15 > > > [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 > > > [ 4849.637228] ? fortify_panic+0x13/0x15 > > > [ 4849.637240] ? fortify_panic+0x13/0x15 > > > [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] > > > [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] > > > [ 4849.637275] __lookup_slow+0x85/0x150 > > > [ 4849.637291] walk_component+0x145/0x1c0 > > > [ 4849.637304] ? path_init+0x2c0/0x3f0 > > > [ 4849.637316] path_lookupat+0x6e/0x1c0 > > > [ 4849.637330] filename_lookup+0xcf/0x1d0 > > > [ 4849.637341] ? __check_object_size+0x1d/0x30 > > > [ 4849.637354] ? strncpy_from_user+0x44/0x150 > > > [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 > > > [ 4849.637375] user_path_at_empty+0x3f/0x60 > > > [ 4849.637383] vfs_statx+0x7a/0x130 > > > [ 4849.637393] do_statx+0x45/0x80 > > > .. > > > > > > Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> > > > --- > > > > > > fs/qnx4/namei.c | 7 +++++++ > > > 1 file changed, 7 insertions(+) > > > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > > index 8d72221735d7..825b891a52b3 100644 > > > --- a/fs/qnx4/namei.c > > > +++ b/fs/qnx4/namei.c > > > @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, > > > > > > } else { > > > > > > namelen = QNX4_SHORT_NAME_MAX; > > > > > > } > > > > > > + > > > + /** qnx4 dir name length can vary, check the di_fname > > > + * fetched from (struct qnx4_inode_entry *) before use in > > > + * strlen to avoid panic due to buffer overflow" > > > + */ > > > > Style nit: this comment should start with just "/*" alone, like: > > /* > > > > * qnx4 dir name ... > > > > > + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) > > > + return -ENAMETOOLONG; > > > > > > thislen = strlen( de->di_fname ); > > > > de->di_fname is: > > > > struct qnx4_inode_entry { > > > > char di_fname[QNX4_SHORT_NAME_MAX]; > > > > ... > > > > #define QNX4_SHORT_NAME_MAX 16 > > #define QNX4_NAME_MAX 48 > > > > It's always going to have a max of QNX4_SHORT_NAME_MAX. Is any of this > > code correct if namelen ends up being QNX4_NAME_MAX? It'll be reading > > past the end of di_fname. > > > > Is bh->b_data actually struct qnx4_inode_entry ? > > Ah-ha, it looks like it's _not_: > > if (!(bh = qnx4_find_entry(len, dir, name, &de, &ino))) > goto out; > /* The entry is linked, let's get the real info */ > if ((de->di_status & QNX4_FILE_LINK) == QNX4_FILE_LINK) { > lnk = (struct qnx4_link_info *) de; > > It seems that entries may be either struct qnx4_inode_entry or struct > qnx4_link_info but it's not captured in a union. > > This needs to be fixed by not lying to the compiler about what is there. > > How about this? The switch won't work since the _status field is a bit-field, so we should rather reuse the similar union-logic already present in fs/qnx4/dir.c > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > index 8d72221735d7..3cd20065bcfa 100644 > --- a/fs/qnx4/namei.c > +++ b/fs/qnx4/namei.c > @@ -26,31 +26,39 @@ > static int qnx4_match(int len, const char *name, > struct buffer_head *bh, unsigned long *offset) > { > - struct qnx4_inode_entry *de; > - int namelen, thislen; > + union qnx4_dir_entry *de; > + char *entry_fname; > + int entry_len, entry_max_len; > > if (bh == NULL) { > printk(KERN_WARNING "qnx4: matching unassigned buffer ! \n"); > return 0; > } > - de = (struct qnx4_inode_entry *) (bh->b_data + *offset); > + de = (union qnx4_dir_entry *) (bh->b_data + *offset); > *offset += QNX4_DIR_ENTRY_SIZE; > - if ((de->di_status & QNX4_FILE_LINK) != 0) { > - namelen = QNX4_NAME_MAX; > - } else { > - namelen = QNX4_SHORT_NAME_MAX; > - } > - thislen = strlen( de->di_fname ); > - if ( thislen > namelen ) > - thislen = namelen; > - if (len != thislen) { > + > + switch (de->inode.di_status) { > + case QNX4_FILE_LINK: > + entry_fname = de->link.dl_fname; > + entry_max_len = sizeof(de->link.dl_fname); > + break; > + case QNX4_FILE_USED: > + entry_fname = de->inode.di_fname; > + entry_max_len = sizeof(de->inode.di_fname); > + break; > + default: > return 0; > } > - if (strncmp(name, de->di_fname, len) == 0) { > - if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) ! = 0) { > - return 1; > - } > - } > + > + /* Directory entry may not be %NUL-terminated. */ > + entry_len = strnlen(entry_fname, entry_max_len); > + > + if (len != entry_len) > + return 0; > + > + if (strncmp(name, entry_fname, len) == 0) > + return 1; > + > return 0; > } > > diff --git a/include/uapi/linux/qnx4_fs.h b/include/uapi/linux/qnx4_fs.h > index 31487325d265..e033dbe1e009 100644 > --- a/include/uapi/linux/qnx4_fs.h > +++ b/include/uapi/linux/qnx4_fs.h > @@ -68,6 +68,13 @@ struct qnx4_link_info { > __u8 dl_status; > }; > > +union qnx4_dir_entry { > + struct qnx4_inode_entry inode; > + struct qnx4_link_info link; > +}; > +_Static_assert(offsetof(struct qnx4_inode_entry, di_status) == > + offsetof(struct qnx4_link_info, dl_status)); > + > struct qnx4_xblk { > __le32 xblk_next_xblk; > __le32 xblk_prev_xblk;
On Thu, Nov 16, 2023 at 05:48:20PM +0100, Anders Larsen wrote: > On 2023-11-16 15:58 Kees Cook wrote: > > if ((de->di_status & QNX4_FILE_LINK) == QNX4_FILE_LINK) { > > lnk = (struct qnx4_link_info *) de; > > > > It seems that entries may be either struct qnx4_inode_entry or struct > > qnx4_link_info but it's not captured in a union. > > > > This needs to be fixed by not lying to the compiler about what is there. > > > > How about this? > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > index 8d72221735d7..3cd20065bcfa 100644 > > --- a/fs/qnx4/namei.c > > +++ b/fs/qnx4/namei.c > > @@ -26,31 +26,39 @@ > > static int qnx4_match(int len, const char *name, > > struct buffer_head *bh, unsigned long *offset) > > { > > - struct qnx4_inode_entry *de; > > - int namelen, thislen; > > + union qnx4_dir_entry *de; > > + char *entry_fname; > > + int entry_len, entry_max_len; > > > > if (bh == NULL) { > > printk(KERN_WARNING "qnx4: matching unassigned buffer ! > \n"); > > return 0; > > } > > - de = (struct qnx4_inode_entry *) (bh->b_data + *offset); > > + de = (union qnx4_dir_entry *) (bh->b_data + *offset); > > *offset += QNX4_DIR_ENTRY_SIZE; > > - if ((de->di_status & QNX4_FILE_LINK) != 0) { > > - namelen = QNX4_NAME_MAX; > > - } else { > > - namelen = QNX4_SHORT_NAME_MAX; > > - } > > - thislen = strlen( de->di_fname ); > > - if ( thislen > namelen ) > > - thislen = namelen; > > - if (len != thislen) { > > + > > + switch (de->inode.di_status) { > > + case QNX4_FILE_LINK: > > + entry_fname = de->link.dl_fname; > > + entry_max_len = sizeof(de->link.dl_fname); > > + break; > > + case QNX4_FILE_USED: > > + entry_fname = de->inode.di_fname; > > + entry_max_len = sizeof(de->inode.di_fname); > > + break; > > + default: > > return 0; > > } > > The switch won't work since the _status field is a bit-field, so we should > rather reuse the similar union-logic already present in fs/qnx4/dir.c Ah, okay, LINK and USED might both be there. And perfect, yes, it looks like the union qnx4_directory_entry in fs/qnx4/dir.c would be perfect. -Kees > > - if (strncmp(name, de->di_fname, len) == 0) { > > - if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) ! > = 0) { > > - return 1; > > - } > > - } > > + > > + /* Directory entry may not be %NUL-terminated. */ > > + entry_len = strnlen(entry_fname, entry_max_len); > > + > > + if (len != entry_len) > > + return 0; > > + > > + if (strncmp(name, entry_fname, len) == 0) > > + return 1; > > + > > return 0; > > } > > > > diff --git a/include/uapi/linux/qnx4_fs.h b/include/uapi/linux/qnx4_fs.h > > index 31487325d265..e033dbe1e009 100644 > > --- a/include/uapi/linux/qnx4_fs.h > > +++ b/include/uapi/linux/qnx4_fs.h > > @@ -68,6 +68,13 @@ struct qnx4_link_info { > > __u8 dl_status; > > }; > > > > +union qnx4_dir_entry { > > + struct qnx4_inode_entry inode; > > + struct qnx4_link_info link; > > +}; > > +_Static_assert(offsetof(struct qnx4_inode_entry, di_status) == > > + offsetof(struct qnx4_link_info, dl_status)); > > + > > struct qnx4_xblk { > > __le32 xblk_next_xblk; > > __le32 xblk_prev_xblk; > > > >
Thank you Kees and Anders, Cheers BR, Ronald On Fri, Nov 17, 2023 at 4:26 AM Kees Cook <keescook@chromium.org> wrote: > > On Thu, Nov 16, 2023 at 05:48:20PM +0100, Anders Larsen wrote: > > On 2023-11-16 15:58 Kees Cook wrote: > > > if ((de->di_status & QNX4_FILE_LINK) == QNX4_FILE_LINK) { > > > lnk = (struct qnx4_link_info *) de; > > > > > > It seems that entries may be either struct qnx4_inode_entry or struct > > > qnx4_link_info but it's not captured in a union. > > > > > > This needs to be fixed by not lying to the compiler about what is there. > > > > > > How about this? > > > > > diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c > > > index 8d72221735d7..3cd20065bcfa 100644 > > > --- a/fs/qnx4/namei.c > > > +++ b/fs/qnx4/namei.c > > > @@ -26,31 +26,39 @@ > > > static int qnx4_match(int len, const char *name, > > > struct buffer_head *bh, unsigned long *offset) > > > { > > > - struct qnx4_inode_entry *de; > > > - int namelen, thislen; > > > + union qnx4_dir_entry *de; > > > + char *entry_fname; > > > + int entry_len, entry_max_len; > > > > > > if (bh == NULL) { > > > printk(KERN_WARNING "qnx4: matching unassigned buffer ! > > \n"); > > > return 0; > > > } > > > - de = (struct qnx4_inode_entry *) (bh->b_data + *offset); > > > + de = (union qnx4_dir_entry *) (bh->b_data + *offset); > > > *offset += QNX4_DIR_ENTRY_SIZE; > > > - if ((de->di_status & QNX4_FILE_LINK) != 0) { > > > - namelen = QNX4_NAME_MAX; > > > - } else { > > > - namelen = QNX4_SHORT_NAME_MAX; > > > - } > > > - thislen = strlen( de->di_fname ); > > > - if ( thislen > namelen ) > > > - thislen = namelen; > > > - if (len != thislen) { > > > + > > > + switch (de->inode.di_status) { > > > + case QNX4_FILE_LINK: > > > + entry_fname = de->link.dl_fname; > > > + entry_max_len = sizeof(de->link.dl_fname); > > > + break; > > > + case QNX4_FILE_USED: > > > + entry_fname = de->inode.di_fname; > > > + entry_max_len = sizeof(de->inode.di_fname); > > > + break; > > > + default: > > > return 0; > > > } > > > > The switch won't work since the _status field is a bit-field, so we should > > rather reuse the similar union-logic already present in fs/qnx4/dir.c > > Ah, okay, LINK and USED might both be there. And perfect, yes, it looks > like the union qnx4_directory_entry in fs/qnx4/dir.c would be perfect. > > -Kees > > > > - if (strncmp(name, de->di_fname, len) == 0) { > > > - if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) ! > > = 0) { > > > - return 1; > > > - } > > > - } > > > + > > > + /* Directory entry may not be %NUL-terminated. */ > > > + entry_len = strnlen(entry_fname, entry_max_len); > > > + > > > + if (len != entry_len) > > > + return 0; > > > + > > > + if (strncmp(name, entry_fname, len) == 0) > > > + return 1; > > > + > > > return 0; > > > } > > > > > > diff --git a/include/uapi/linux/qnx4_fs.h b/include/uapi/linux/qnx4_fs.h > > > index 31487325d265..e033dbe1e009 100644 > > > --- a/include/uapi/linux/qnx4_fs.h > > > +++ b/include/uapi/linux/qnx4_fs.h > > > @@ -68,6 +68,13 @@ struct qnx4_link_info { > > > __u8 dl_status; > > > }; > > > > > > +union qnx4_dir_entry { > > > + struct qnx4_inode_entry inode; > > > + struct qnx4_link_info link; > > > +}; > > > +_Static_assert(offsetof(struct qnx4_inode_entry, di_status) == > > > + offsetof(struct qnx4_link_info, dl_status)); > > > + > > > struct qnx4_xblk { > > > __le32 xblk_next_xblk; > > > __le32 xblk_prev_xblk; > > > > > > > > > > -- > Kees Cook
diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c index 8d72221735d7..825b891a52b3 100644 --- a/fs/qnx4/namei.c +++ b/fs/qnx4/namei.c @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, } else { namelen = QNX4_SHORT_NAME_MAX; } + + /** qnx4 dir name length can vary, check the di_fname + * fetched from (struct qnx4_inode_entry *) before use in + * strlen to avoid panic due to buffer overflow" + */ + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) + return -ENAMETOOLONG; thislen = strlen( de->di_fname ); if ( thislen > namelen ) thislen = namelen;