ovl: fix out of bounds access warning in ovl_check_fb_len()

amir73il · Miklos Szeredi · commit 522f6e6cba68 · 2020-06-02T22:20:25.000+02:00
syzbot reported out of bounds memory access from open_by_handle_at() with a crafted file handle that looks like this: { .handle_bytes = 2, .handle_type = OVL_FILEID_V1 } handle_bytes gets rounded down to 0 and we end up calling: ovl_check_fh_len(fh, 0) => ovl_check_fb_len(fh + 3, -3) But fh buffer is only 2 bytes long, so accessing struct ovl_fb at fh + 3 is illegal. Fixes: cbe7fba ("ovl: make sure that real fid is 32bit aligned in memory") Reported-and-tested-by: syzbot+61958888b1c60361a791@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # v5.5 Signed-off-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
@@ -355,6 +355,9 @@ int ovl_check_fb_len(struct ovl_fb *fb, int fb_len);
 
 static inline int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
 {
+	if (fh_len < sizeof(struct ovl_fh))
+		return -EINVAL;
+
 	return ovl_check_fb_len(&fh->fb, fh_len - OVL_FH_WIRE_OFFSET);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,9 @@ int ovl_check_fb_len(struct ovl_fb *fb, int fb_len);`
`355`	`355`
`356`	`356`	`static inline int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)`
`357`	`357`	`{`
	`358`	`+ if (fh_len < sizeof(struct ovl_fh))`
	`359`	`+ return -EINVAL;`
	`360`	`+`
`358`	`361`	`return ovl_check_fb_len(&fh->fb, fh_len - OVL_FH_WIRE_OFFSET);`
`359`	`362`	`}`
`360`	`363`