Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in getname_kernel
From: Ian Kent
Date: Sun Jul 01 2018 - 21:10:42 EST
On Mon, 2018-07-02 at 00:04 +0200, tomas wrote:
> Hi,
>
> I've looked into this issue found by Syzbot and I made a patch:
>
> https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425b1163
Umm ... oops!
Thanks for looking into this Tomas.
>
>
> The autofs subsystem does not check that the "path" parameter is present
> within the "param" struct passed by the userspace in case the
> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a
> path is always provided (though a path is not always present, as per how
> the struct is defined:
> https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_dev-ioct
> l.h#L89).
> Skipping the check provokes an oob read in "strlen", called by
> "getname_kernel", in turn called by the autofs to assess the length of
> the non-existing path.
>
> To solve it, modify the "validate_dev_ioctl" function to check also that
> a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD.
>
>
> --- b/fs/autofs/dev-ioctl.c 2018-07-01 23:10:16.059728621 +0200
> +++ a/fs/autofs/dev-ioctl.c 2018-07-01 23:10:24.311792133 +0200
> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s
> goto out;
> }
> }
> + /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */
> + else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD)
> + return -EINVAL;
My preference is to put the comment inside the else but ...
There's another question, should the check be done in
autofs_dev_ioctl_openmount() in the same way it's checked in other
ioctls that need a path, such as in autofs_dev_ioctl_requester()
and autofs_dev_ioctl_ismountpoint()?
For consistency I'd say it should.
>
> err = 0;
> out:
>
>
> Tested and solves the issue on Linus' main git tree.
>
>
Ian