Re: [PATCH] romfs: Fix uninitialized memory leak in romfs_dev_read()

From: Greg Kroah-Hartman
Date: Tue Aug 18 2020 - 02:10:01 EST


On Tue, Aug 18, 2020 at 03:32:02AM +0200, Jann Horn wrote:
> romfs has a superblock field that limits the size of the filesystem;
> data beyond that limit is never accessed.
>
> romfs_dev_read() fetches a caller-supplied number of bytes from the
> backing device. It returns 0 on success or an error code on failure;
> therefore, its API can't represent short reads, it's all-or-nothing.
>
> However, when romfs_dev_read() detects that the requested operation
> would cross the filesystem size limit, it currently silently truncates
> the requested number of bytes. This e.g. means that when the content
> of a file with size 0x1000 starts one byte before the filesystem size
> limit, ->readpage() will only fill a single byte of the supplied page
> while leaving the rest uninitialized, leaking that uninitialized memory
> to userspace.
>
> Fix it by returning an error code instead of truncating the read when
> the requested read operation would go beyond the end of the filesystem.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>

Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>