[RFC PATCH 15/20] jfs: Fix buffer overflow in jfs_strfromUCS_le() function

From: Pali Rohár
Date: Sun Aug 08 2021 - 12:25:33 EST


Function jfs_strfromUCS_le() writes to unknown offset in buffer allocated
by __get_free_page(GFP_KERNEL). So it cannot expects that there is least
NLS_MAX_CHARSET_SIZE bytes space before end of that buffer.

Fix this issue by add a new parameter maxlen for jfs_strfromUCS_le()
function. And use it for passing remaining size of buffer to prevent buffer
overflow in kernel.

Signed-off-by: Pali Rohár <pali@xxxxxxxxxx>
---
fs/jfs/jfs_dtree.c | 13 ++++++++++---
fs/jfs/jfs_unicode.c | 6 +++---
fs/jfs/jfs_unicode.h | 2 +-
3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 837d42f61464..6dbdce54f139 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -3013,6 +3013,7 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
int d_namleft, len, outlen;
unsigned long dirent_buf;
char *name_ptr;
+ int maxlen;
u32 dir_index;
int do_index = 0;
uint loop_count = 0;
@@ -3235,7 +3236,10 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
}

/* copy the name of head/only segment */
- outlen = jfs_strfromUCS_le(name_ptr, d->name, len,
+ maxlen = PAGE_SIZE - sizeof(struct jfs_dirent) -
+ (name_ptr - jfs_dirent->name);
+ outlen = jfs_strfromUCS_le(name_ptr, maxlen,
+ d->name, len,
codepage);
jfs_dirent->name_len = outlen;

@@ -3255,8 +3259,11 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
goto skip_one;
}
len = min(d_namleft, DTSLOTDATALEN);
- outlen = jfs_strfromUCS_le(name_ptr, t->name,
- len, codepage);
+ maxlen = PAGE_SIZE - sizeof(struct jfs_dirent) -
+ (name_ptr - jfs_dirent->name);
+ outlen = jfs_strfromUCS_le(name_ptr, maxlen,
+ t->name, len,
+ codepage);
jfs_dirent->name_len += outlen;

next = t->next;
diff --git a/fs/jfs/jfs_unicode.c b/fs/jfs/jfs_unicode.c
index 1d0f65d13b58..2db923872bf1 100644
--- a/fs/jfs/jfs_unicode.c
+++ b/fs/jfs/jfs_unicode.c
@@ -16,7 +16,7 @@
* FUNCTION: Convert little-endian unicode string to character string
*
*/
-int jfs_strfromUCS_le(char *to, const __le16 * from,
+int jfs_strfromUCS_le(char *to, int maxlen, const __le16 * from,
int len, struct nls_table *codepage)
{
int i;
@@ -25,12 +25,12 @@ int jfs_strfromUCS_le(char *to, const __le16 * from,
int warn = !!warn_again; /* once per string */

if (codepage) {
- for (i = 0; (i < len) && from[i]; i++) {
+ for (i = 0; (i < len) && from[i] && outlen < maxlen-1; i++) {
int charlen;
charlen =
codepage->uni2char(le16_to_cpu(from[i]),
&to[outlen],
- NLS_MAX_CHARSET_SIZE);
+ maxlen-1-outlen);
if (charlen > 0)
outlen += charlen;
else {
diff --git a/fs/jfs/jfs_unicode.h b/fs/jfs/jfs_unicode.h
index 9db62d047daa..8b5c74315e07 100644
--- a/fs/jfs/jfs_unicode.h
+++ b/fs/jfs/jfs_unicode.h
@@ -19,7 +19,7 @@ typedef struct {
extern signed char UniUpperTable[512];
extern UNICASERANGE UniUpperRange[];
extern int get_UCSname(struct component_name *, struct dentry *);
-extern int jfs_strfromUCS_le(char *, const __le16 *, int, struct nls_table *);
+extern int jfs_strfromUCS_le(char *, int, const __le16 *, int, struct nls_table *);

#define free_UCSname(COMP) kfree((COMP)->name)

--
2.20.1