Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in getname_kernel
From: Ian Kent
Date: Sun Jul 01 2018 - 21:10:42 EST
On Mon, 2018-07-02 at 00:04 +0200, tomas wrote:
> I've looked into this issue found by Syzbot and I made a patch:
Umm ... oops!
Thanks for looking into this Tomas.
> The autofs subsystem does not check that the "path" parameter is present
> within the "param" struct passed by the userspace in case the
> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a
> path is always provided (though a path is not always present, as per how
> the struct is defined:
> Skipping the check provokes an oob read in "strlen", called by
> "getname_kernel", in turn called by the autofs to assess the length of
> the non-existing path.
> To solve it, modify the "validate_dev_ioctl" function to check also that
> a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD.
> --- b/fs/autofs/dev-ioctl.c 2018-07-01 23:10:16.059728621 +0200
> +++ a/fs/autofs/dev-ioctl.c 2018-07-01 23:10:24.311792133 +0200
> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s
> goto out;
> + /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */
> + else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD)
> + return -EINVAL;
My preference is to put the comment inside the else but ...
There's another question, should the check be done in
autofs_dev_ioctl_openmount() in the same way it's checked in other
ioctls that need a path, such as in autofs_dev_ioctl_requester()
For consistency I'd say it should.
> err = 0;
> Tested and solves the issue on Linus' main git tree.