• Dan Rosenberg's avatar
    btrfs: prevent heap corruption in btrfs_ioctl_space_info() · 51788b1b
    Dan Rosenberg authored
    Commit bf5fc093 refactored
    btrfs_ioctl_space_info() and introduced several security issues.
    
    space_args.space_slots is an unsigned 64-bit type controlled by a
    possibly unprivileged caller.  The comparison as a signed int type
    allows providing values that are treated as negative and cause the
    subsequent allocation size calculation to wrap, or be truncated to 0.
    By providing a size that's truncated to 0, kmalloc() will return
    ZERO_SIZE_PTR.  It's also possible to provide a value smaller than the
    slot count.  The subsequent loop ignores the allocation size when
    copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
    
    The fix changes the slot count type and comparison typecast to u64,
    which prevents truncation or signedness errors, and also ensures that we
    don't copy more data than we've allocated in the subsequent loop.  Note
    that zero-size allocations are no longer possible since there is already
    an explicit check for space_args.space_slots being 0 and truncation of
    this value is no longer an issue.
    Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: default avatarJosef Bacik <josef@redhat.com>
    Reviewed-by: default avatarJosef Bacik <josef@redhat.com>
    Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
    51788b1b
ioctl.c 58.8 KB