• Dan Carpenter's avatar
    ovl: potential crash in ovl_fid_to_fh() · 9aafc1b0
    Dan Carpenter authored
    The "buflen" value comes from the user and there is a potential that it
    could be zero.  In do_handle_to_path() we know that "handle->handle_bytes"
    is non-zero and we do:
    
    	handle_dwords = handle->handle_bytes >> 2;
    
    So values 1-3 become zero.  Then in ovl_fh_to_dentry() we do:
    
    	int len = fh_len << 2;
    
    So now len is in the "0,4-128" range and a multiple of 4.  But if
    "buflen" is zero it will try to copy negative bytes when we do the
    memcpy in ovl_fid_to_fh().
    
    	memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
    
    And that will lead to a crash.  Thanks to Amir Goldstein for his help
    with this patch.
    
    Fixes: cbe7fba8 ("ovl: make sure that real fid is 32bit aligned in memory")
    Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: default avatarAmir Goldstein <amir73il@gmail.com>
    Cc: <stable@vger.kernel.org> # v5.5
    Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    9aafc1b0
export.c 22.4 KB