Commit 3725e9dd authored Sep 09, 2015 by Jan Harkes Committed by Linus Torvalds Sep 10, 2015

fs/coda: fix readlink buffer overflow



Dan Carpenter discovered a buffer overflow in the Coda file system
readlink code.  A userspace file system daemon can return a 4096 byte
result which then triggers a one byte write past the allocated readlink
result buffer.

This does not trigger with an unmodified Coda implementation because Coda
has a 1024 byte limit for symbolic links, however other userspace file
systems using the Coda kernel module could be affected.

Although this is an obvious overflow, I don't think this has to be handled
as too sensitive from a security perspective because the overflow is on
the Coda userspace daemon side which already needs root to open Coda's
kernel device and to mount the file system before we get to the point that
links can be read.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent c5595fa2

fs/coda/upcall.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -353,7 +353,7 @@ int venus_readlink(struct super_block sb, struct CodaFid fid,
		char *result;

		insize = max_t(unsigned int,
		INSIZE(readlink), OUTSIZE(readlink)+ *length + 1);
		INSIZE(readlink), OUTSIZE(readlink)+ *length);
		UPARG(CODA_READLINK);

		inp->coda_readlink.VFid = *fid;
		@@ -361,8 +361,8 @@ int venus_readlink(struct super_block sb, struct CodaFid fid,
		error = coda_upcall(coda_vcp(sb), insize, &outsize, inp);
		if (!error) {
		retlen = outp->coda_readlink.count;
		if ( retlen > *length )
		retlen = *length;
		if (retlen >= *length)
		retlen = *length - 1;
		*length = retlen;
		result = (char *)outp + (long)outp->coda_readlink.data;
		memcpy(buffer, result, retlen);

Admin message