diff options
| author | Tomas Bortoli <tomasbortoli@gmail.com> | 2018-07-13 19:58:59 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-07-14 14:11:09 -0400 |
| commit | 02f51d45937f7bc7f4dee21e9f85b2d5eac37104 (patch) | |
| tree | 1bc4f4e4a1d0ac12f67573c65d825478b9d62f4b /fs | |
| parent | e70cc2bd579e8a9d6d153762f0fe294d0e652ff0 (diff) | |
autofs: fix slab out of bounds read in getname_kernel()
The autofs subsystem does not check that the "path" parameter is present
for all cases where it is required when it is passed in via the "param"
struct.
In particular it isn't checked for the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD
ioctl command.
To solve it, modify validate_dev_ioctl(function to check that a path has
been provided for ioctl commands that require it.
Link: http://lkml.kernel.org/r/153060031527.26631.18306637892746301555.stgit@pluto.themaw.net
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Signed-off-by: Ian Kent <raven@themaw.net>
Reported-by: syzbot+60c837b428dc84e83a93@syzkaller.appspotmail.com
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/autofs/dev-ioctl.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c index ea4ca1445ab7..86eafda4a652 100644 --- a/fs/autofs/dev-ioctl.c +++ b/fs/autofs/dev-ioctl.c | |||
| @@ -135,6 +135,15 @@ static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param) | |||
| 135 | cmd); | 135 | cmd); |
| 136 | goto out; | 136 | goto out; |
| 137 | } | 137 | } |
| 138 | } else { | ||
| 139 | unsigned int inr = _IOC_NR(cmd); | ||
| 140 | |||
| 141 | if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD || | ||
| 142 | inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD || | ||
| 143 | inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) { | ||
| 144 | err = -EINVAL; | ||
| 145 | goto out; | ||
| 146 | } | ||
| 138 | } | 147 | } |
| 139 | 148 | ||
| 140 | err = 0; | 149 | err = 0; |
| @@ -271,7 +280,8 @@ static int autofs_dev_ioctl_openmount(struct file *fp, | |||
| 271 | dev_t devid; | 280 | dev_t devid; |
| 272 | int err, fd; | 281 | int err, fd; |
| 273 | 282 | ||
| 274 | /* param->path has already been checked */ | 283 | /* param->path has been checked in validate_dev_ioctl() */ |
| 284 | |||
| 275 | if (!param->openmount.devid) | 285 | if (!param->openmount.devid) |
| 276 | return -EINVAL; | 286 | return -EINVAL; |
| 277 | 287 | ||
| @@ -433,10 +443,7 @@ static int autofs_dev_ioctl_requester(struct file *fp, | |||
| 433 | dev_t devid; | 443 | dev_t devid; |
| 434 | int err = -ENOENT; | 444 | int err = -ENOENT; |
| 435 | 445 | ||
| 436 | if (param->size <= AUTOFS_DEV_IOCTL_SIZE) { | 446 | /* param->path has been checked in validate_dev_ioctl() */ |
| 437 | err = -EINVAL; | ||
| 438 | goto out; | ||
| 439 | } | ||
| 440 | 447 | ||
| 441 | devid = sbi->sb->s_dev; | 448 | devid = sbi->sb->s_dev; |
| 442 | 449 | ||
| @@ -521,10 +528,7 @@ static int autofs_dev_ioctl_ismountpoint(struct file *fp, | |||
| 521 | unsigned int devid, magic; | 528 | unsigned int devid, magic; |
| 522 | int err = -ENOENT; | 529 | int err = -ENOENT; |
| 523 | 530 | ||
| 524 | if (param->size <= AUTOFS_DEV_IOCTL_SIZE) { | 531 | /* param->path has been checked in validate_dev_ioctl() */ |
| 525 | err = -EINVAL; | ||
| 526 | goto out; | ||
| 527 | } | ||
| 528 | 532 | ||
| 529 | name = param->path; | 533 | name = param->path; |
| 530 | type = param->ismountpoint.in.type; | 534 | type = param->ismountpoint.in.type; |