Message ID | 20221126043612.853428-1-zhangpeng362@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp4457310wrr; Fri, 25 Nov 2022 20:46:04 -0800 (PST) X-Google-Smtp-Source: AA0mqf4GtVrPBbib7hueaLNPtRc5pxafpSS7AxA+mGQGMfSak5fV3RhFGml0JXFQmYuiDce6Kyfc X-Received: by 2002:aa7:d518:0:b0:46a:727f:b659 with SMTP id y24-20020aa7d518000000b0046a727fb659mr12903940edq.420.1669437964758; Fri, 25 Nov 2022 20:46:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669437964; cv=none; d=google.com; s=arc-20160816; b=DL6v9QAHsQRL/t0a1YDDADCmHSRJQ4U/OeBc22p2TC/DnfxIuA+wiqEbGoaJ5jUQ0U kQvwA6+boH6IVdkwcUFJ36Mn5OPpjFFDhISw5uykAcAc+5wJ23EJOhaziRIstXywfKR4 QucIpQShuTvxdqWVRCNidYlfuKSNZ1vL9NZFN/w47aBVQ+cNfqwgBrrdS6ZaG05gh7wN 2pM15FY8eLgXhiBuIj7eyM5p6iQYTMIirVwA688MChITN9qqjWFQK44PTdwPKhMwZCLQ 0jaVuwnpKSmdgooiTsaMerZxUi8UNxb8x+YFGpx7t2npOXfxY8JlkpyOxESP41I5mqFX 7wyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=LQtm48WndR5jjFqesrC4Ja3e/6jKf5Nd6amkJi45ST8=; b=d6QBLBNYilTMWJ6EdzCbMtdegfA5nwxTMywKoP4hlMihJu+XA1gerHDITfLXYkAyaF QdZo6X02M2j38yeFuBFPmWlBl1aE9eSAJjsoVSjs/21z0iEdhi2vu5LmFmYa8TR0VO6U gmghz9Jy0f+Bh6IyVPQCmu98+5nx/KrrNOLX9wpMtzLu+m3e9tkkj8OSYBCkhUZtf3h+ uQVPym3cpQIhNSCO36ql3PLph35FXzf5+Wo/LL/j8PF4kS+J9QGyM0K8O1GvqOnqxym2 q7Pfw+WNAlgEdECWQbEJeMg0jhX7+aNlnt30gHmlNEVOcMDo0i73MPR6Jnja52DdzPIW WOlg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x8-20020a05640226c800b00453b9f11bb1si4879111edd.206.2022.11.25.20.45.41; Fri, 25 Nov 2022 20:46:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230128AbiKZEg2 (ORCPT <rfc822;zxc52fgh@gmail.com> + 99 others); Fri, 25 Nov 2022 23:36:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230114AbiKZEgX (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 25 Nov 2022 23:36:23 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 165B440466; Fri, 25 Nov 2022 20:36:22 -0800 (PST) Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NJzSK2KMKzmW95; Sat, 26 Nov 2022 12:35:45 +0800 (CST) Received: from kwepemm600020.china.huawei.com (7.193.23.147) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 26 Nov 2022 12:36:20 +0800 Received: from localhost.localdomain (10.175.112.125) by kwepemm600020.china.huawei.com (7.193.23.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 26 Nov 2022 12:36:19 +0800 From: Peng Zhang <zhangpeng362@huawei.com> To: <zippel@linux-m68k.org>, <akpm@osdl.org> CC: <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <sunnanyong@huawei.com>, <wangkefeng.wang@huawei.com>, ZhangPeng <zhangpeng362@huawei.com>, <syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com> Subject: [PATCH] hfs: Fix OOB Write in hfs_asc2mac Date: Sat, 26 Nov 2022 04:36:12 +0000 Message-ID: <20221126043612.853428-1-zhangpeng362@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600020.china.huawei.com (7.193.23.147) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750532583036524298?= X-GMAIL-MSGID: =?utf-8?q?1750532583036524298?= |
Series |
hfs: Fix OOB Write in hfs_asc2mac
|
|
Commit Message
zhangpeng (AS)
Nov. 26, 2022, 4:36 a.m. UTC
From: ZhangPeng <zhangpeng362@huawei.com> Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB Write. Fix this by adding a Check on dstlen before Writing to dst address. Fixes: 328b92278650 ("[PATCH] hfs: NLS support") Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> --- fs/hfs/trans.c | 2 ++ 1 file changed, 2 insertions(+)
Comments
> On Nov 25, 2022, at 8:36 PM, Peng Zhang <zhangpeng362@huawei.com> wrote: > > From: ZhangPeng <zhangpeng362@huawei.com> > > Syzbot reported a OOB Write bug: > > loop0: detected capacity change from 0 to 64 > ================================================================== > BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 > fs/hfs/trans.c:133 > Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 > > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 > print_address_description+0x74/0x340 mm/kasan/report.c:284 > print_report+0x107/0x1f0 mm/kasan/report.c:395 > kasan_report+0xcd/0x100 mm/kasan/report.c:495 > hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 > hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 > hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 > lookup_open fs/namei.c:3391 [inline] > open_last_lookups fs/namei.c:3481 [inline] > path_openat+0x10e6/0x2df0 fs/namei.c:3710 > do_filp_open+0x264/0x4f0 fs/namei.c:3740 > > If in->len is much larger than HFS_NAMELEN(31) which is the maximum > length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In > that case, when the dst reaches the boundary, the srclen is still > greater than 0, which causes a OOB Write. > Fix this by adding a Check on dstlen before Writing to dst address. > > Fixes: 328b92278650 ("[PATCH] hfs: NLS support") > Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com > Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> > --- > fs/hfs/trans.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c > index 39f5e343bf4d..886158db07b3 100644 > --- a/fs/hfs/trans.c > +++ b/fs/hfs/trans.c > @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr > dst += size; > dstlen -= size; > } else { > + if (dstlen == 0) > + goto out; Maybe, it makes sense to use dstlen instead of srclen in while()? We have now: while (srclen > 0) { <skipped> } else { <skipped> } We can use instead: while (dstlen > 0) { <skipped> } else { <skipped> } Will it fix the issue? Thanks, Slava. > *dst++ = ch > 0xff ? '?' : ch; > dstlen--; > } > -- > 2.25.1 >
On 2022/11/29 3:29, Viacheslav Dubeyko wrote: >> On Nov 25, 2022, at 8:36 PM, Peng Zhang <zhangpeng362@huawei.com> wrote: >> >> From: ZhangPeng <zhangpeng362@huawei.com> >> >> Syzbot reported a OOB Write bug: >> >> loop0: detected capacity change from 0 to 64 >> ================================================================== >> BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 >> fs/hfs/trans.c:133 >> Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 >> >> Call Trace: >> <TASK> >> __dump_stack lib/dump_stack.c:88 [inline] >> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 >> print_address_description+0x74/0x340 mm/kasan/report.c:284 >> print_report+0x107/0x1f0 mm/kasan/report.c:395 >> kasan_report+0xcd/0x100 mm/kasan/report.c:495 >> hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 >> hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 >> hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 >> lookup_open fs/namei.c:3391 [inline] >> open_last_lookups fs/namei.c:3481 [inline] >> path_openat+0x10e6/0x2df0 fs/namei.c:3710 >> do_filp_open+0x264/0x4f0 fs/namei.c:3740 >> >> If in->len is much larger than HFS_NAMELEN(31) which is the maximum >> length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In >> that case, when the dst reaches the boundary, the srclen is still >> greater than 0, which causes a OOB Write. >> Fix this by adding a Check on dstlen before Writing to dst address. >> >> Fixes: 328b92278650 ("[PATCH] hfs: NLS support") >> Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com >> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> >> --- >> fs/hfs/trans.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c >> index 39f5e343bf4d..886158db07b3 100644 >> --- a/fs/hfs/trans.c >> +++ b/fs/hfs/trans.c >> @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr >> dst += size; >> dstlen -= size; >> } else { >> + if (dstlen == 0) >> + goto out; > Maybe, it makes sense to use dstlen instead of srclen in while()? > > We have now: > > while (srclen > 0) { > <skipped> > } else { > <skipped> > } > > We can use instead: > > while (dstlen > 0) { > <skipped> > } else { > <skipped> > } > > Will it fix the issue? > > Thanks, > Slava. Thank you for your help. After testing, it fix the issue. Would it be better to add dstlen > 0 instead of replacing srclen > 0 with dstlen > 0? Because there may be dstlen > 0 and srclen <= 0. we can use: while (srclen > 0 && dstlen > 0) { <skipped> } else { <skipped> } Thanks, Zhang Peng >> *dst++ = ch > 0xff ? '?' : ch; >> dstlen--; >> } >> -- >> 2.25.1 >> >
> On Nov 28, 2022, at 6:23 PM, zhangpeng (AS) <zhangpeng362@huawei.com> wrote: > > On 2022/11/29 3:29, Viacheslav Dubeyko wrote: > >>> On Nov 25, 2022, at 8:36 PM, Peng Zhang <zhangpeng362@huawei.com> wrote: >>> >>> From: ZhangPeng <zhangpeng362@huawei.com> >>> >>> Syzbot reported a OOB Write bug: >>> >>> loop0: detected capacity change from 0 to 64 >>> ================================================================== >>> BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 >>> fs/hfs/trans.c:133 >>> Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 >>> >>> Call Trace: >>> <TASK> >>> __dump_stack lib/dump_stack.c:88 [inline] >>> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 >>> print_address_description+0x74/0x340 mm/kasan/report.c:284 >>> print_report+0x107/0x1f0 mm/kasan/report.c:395 >>> kasan_report+0xcd/0x100 mm/kasan/report.c:495 >>> hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 >>> hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 >>> hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 >>> lookup_open fs/namei.c:3391 [inline] >>> open_last_lookups fs/namei.c:3481 [inline] >>> path_openat+0x10e6/0x2df0 fs/namei.c:3710 >>> do_filp_open+0x264/0x4f0 fs/namei.c:3740 >>> >>> If in->len is much larger than HFS_NAMELEN(31) which is the maximum >>> length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In >>> that case, when the dst reaches the boundary, the srclen is still >>> greater than 0, which causes a OOB Write. >>> Fix this by adding a Check on dstlen before Writing to dst address. >>> >>> Fixes: 328b92278650 ("[PATCH] hfs: NLS support") >>> Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com >>> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> >>> --- >>> fs/hfs/trans.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c >>> index 39f5e343bf4d..886158db07b3 100644 >>> --- a/fs/hfs/trans.c >>> +++ b/fs/hfs/trans.c >>> @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr >>> dst += size; >>> dstlen -= size; >>> } else { >>> + if (dstlen == 0) >>> + goto out; >> Maybe, it makes sense to use dstlen instead of srclen in while()? >> >> We have now: >> >> while (srclen > 0) { >> <skipped> >> } else { >> <skipped> >> } >> >> We can use instead: >> >> while (dstlen > 0) { >> <skipped> >> } else { >> <skipped> >> } >> >> Will it fix the issue? >> >> Thanks, >> Slava. > > Thank you for your help. > > After testing, it fix the issue. > Would it be better to add dstlen > 0 instead of replacing srclen > 0 with dstlen > 0? > Because there may be dstlen > 0 and srclen <= 0. > > we can use: > > while (srclen > 0 && dstlen > 0) { > <skipped> > } else { > <skipped> > } > Looks good to me. Thanks, Slava. > > Thanks, > Zhang Peng > >>> *dst++ = ch > 0xff ? '?' : ch; >>> dstlen--; >>> } >>> -- >>> 2.25.1
On 2022/11/30 3:08, Viacheslav Dubeyko wrote: >> On Nov 28, 2022, at 6:23 PM, zhangpeng (AS) <zhangpeng362@huawei.com> wrote: >> >> On 2022/11/29 3:29, Viacheslav Dubeyko wrote: >>>> On Nov 25, 2022, at 8:36 PM, Peng Zhang <zhangpeng362@huawei.com> wrote: >>>> >>>> From: ZhangPeng <zhangpeng362@huawei.com> >>>> >>>> Syzbot reported a OOB Write bug: >>>> >>>> loop0: detected capacity change from 0 to 64 >>>> ================================================================== >>>> BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 >>>> fs/hfs/trans.c:133 >>>> Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 >>>> >>>> Call Trace: >>>> <TASK> >>>> __dump_stack lib/dump_stack.c:88 [inline] >>>> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 >>>> print_address_description+0x74/0x340 mm/kasan/report.c:284 >>>> print_report+0x107/0x1f0 mm/kasan/report.c:395 >>>> kasan_report+0xcd/0x100 mm/kasan/report.c:495 >>>> hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 >>>> hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 >>>> hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 >>>> lookup_open fs/namei.c:3391 [inline] >>>> open_last_lookups fs/namei.c:3481 [inline] >>>> path_openat+0x10e6/0x2df0 fs/namei.c:3710 >>>> do_filp_open+0x264/0x4f0 fs/namei.c:3740 >>>> >>>> If in->len is much larger than HFS_NAMELEN(31) which is the maximum >>>> length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In >>>> that case, when the dst reaches the boundary, the srclen is still >>>> greater than 0, which causes a OOB Write. >>>> Fix this by adding a Check on dstlen before Writing to dst address. >>>> >>>> Fixes: 328b92278650 ("[PATCH] hfs: NLS support") >>>> Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com >>>> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> >>>> --- >>>> fs/hfs/trans.c | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c >>>> index 39f5e343bf4d..886158db07b3 100644 >>>> --- a/fs/hfs/trans.c >>>> +++ b/fs/hfs/trans.c >>>> @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr >>>> dst += size; >>>> dstlen -= size; >>>> } else { >>>> + if (dstlen == 0) >>>> + goto out; >>> Maybe, it makes sense to use dstlen instead of srclen in while()? >>> >>> We have now: >>> >>> while (srclen > 0) { >>> <skipped> >>> } else { >>> <skipped> >>> } >>> >>> We can use instead: >>> >>> while (dstlen > 0) { >>> <skipped> >>> } else { >>> <skipped> >>> } >>> >>> Will it fix the issue? >>> >>> Thanks, >>> Slava. >> Thank you for your help. >> >> After testing, it fix the issue. >> Would it be better to add dstlen > 0 instead of replacing srclen > 0 with dstlen > 0? >> Because there may be dstlen > 0 and srclen <= 0. >> >> we can use: >> >> while (srclen > 0 && dstlen > 0) { >> <skipped> >> } else { >> <skipped> >> } >> > Looks good to me. Can I put you down as a Reviewed-by or Suggested-by? Thanks, Zhang Peng > Thanks, > Slava. > >> Thanks, >> Zhang Peng >> >>>> *dst++ = ch > 0xff ? '?' : ch; >>>> dstlen--; >>>> } >>>> -- >>>> 2.25.1
> On Nov 30, 2022, at 5:53 PM, zhangpeng (AS) <zhangpeng362@huawei.com> wrote: > > > On 2022/11/30 3:08, Viacheslav Dubeyko wrote: >>> On Nov 28, 2022, at 6:23 PM, zhangpeng (AS) <zhangpeng362@huawei.com> wrote: >>> >>> On 2022/11/29 3:29, Viacheslav Dubeyko wrote: >>>>> On Nov 25, 2022, at 8:36 PM, Peng Zhang <zhangpeng362@huawei.com> wrote: >>>>> >>>>> From: ZhangPeng <zhangpeng362@huawei.com> >>>>> >>>>> Syzbot reported a OOB Write bug: >>>>> >>>>> loop0: detected capacity change from 0 to 64 >>>>> ================================================================== >>>>> BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 >>>>> fs/hfs/trans.c:133 >>>>> Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 >>>>> >>>>> Call Trace: >>>>> <TASK> >>>>> __dump_stack lib/dump_stack.c:88 [inline] >>>>> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 >>>>> print_address_description+0x74/0x340 mm/kasan/report.c:284 >>>>> print_report+0x107/0x1f0 mm/kasan/report.c:395 >>>>> kasan_report+0xcd/0x100 mm/kasan/report.c:495 >>>>> hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 >>>>> hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 >>>>> hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 >>>>> lookup_open fs/namei.c:3391 [inline] >>>>> open_last_lookups fs/namei.c:3481 [inline] >>>>> path_openat+0x10e6/0x2df0 fs/namei.c:3710 >>>>> do_filp_open+0x264/0x4f0 fs/namei.c:3740 >>>>> >>>>> If in->len is much larger than HFS_NAMELEN(31) which is the maximum >>>>> length of an HFS filename, a OOB Write could occur in hfs_asc2mac(). In >>>>> that case, when the dst reaches the boundary, the srclen is still >>>>> greater than 0, which causes a OOB Write. >>>>> Fix this by adding a Check on dstlen before Writing to dst address. >>>>> >>>>> Fixes: 328b92278650 ("[PATCH] hfs: NLS support") >>>>> Reported-by: syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com >>>>> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> >>>>> --- >>>>> fs/hfs/trans.c | 2 ++ >>>>> 1 file changed, 2 insertions(+) >>>>> >>>>> diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c >>>>> index 39f5e343bf4d..886158db07b3 100644 >>>>> --- a/fs/hfs/trans.c >>>>> +++ b/fs/hfs/trans.c >>>>> @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr >>>>> dst += size; >>>>> dstlen -= size; >>>>> } else { >>>>> + if (dstlen == 0) >>>>> + goto out; >>>> Maybe, it makes sense to use dstlen instead of srclen in while()? >>>> >>>> We have now: >>>> >>>> while (srclen > 0) { >>>> <skipped> >>>> } else { >>>> <skipped> >>>> } >>>> >>>> We can use instead: >>>> >>>> while (dstlen > 0) { >>>> <skipped> >>>> } else { >>>> <skipped> >>>> } >>>> >>>> Will it fix the issue? >>>> >>>> Thanks, >>>> Slava. >>> Thank you for your help. >>> >>> After testing, it fix the issue. >>> Would it be better to add dstlen > 0 instead of replacing srclen > 0 with dstlen > 0? >>> Because there may be dstlen > 0 and srclen <= 0. >>> >>> we can use: >>> >>> while (srclen > 0 && dstlen > 0) { >>> <skipped> >>> } else { >>> <skipped> >>> } >>> >> Looks good to me. > > Can I put you down as a Reviewed-by or Suggested-by? Sure. I hope to see the second version of the patch. Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Thanks, Slava. > > Thanks, > Zhang Peng > >> Thanks, >> Slava. >> >>> Thanks, >>> Zhang Peng >>> >>>>> *dst++ = ch > 0xff ? '?' : ch; >>>>> dstlen--; >>>>> } >>>>> -- >>>>> 2.25.1
diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c index 39f5e343bf4d..886158db07b3 100644 --- a/fs/hfs/trans.c +++ b/fs/hfs/trans.c @@ -130,6 +130,8 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr dst += size; dstlen -= size; } else { + if (dstlen == 0) + goto out; *dst++ = ch > 0xff ? '?' : ch; dstlen--; }