a7y18lte-ubports/android_kernel_samsung_a7y18lte
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bb1e083ed4
android_kernel_samsung_a7y1.../fs
History
Eric Biggers b263c13b62 libfs: fix infoleak in simple_attr_read() 
commit a65cab7d7f05c2061a3e2490257d3086ff3202c6 upstream.

Reading from a debugfs file at a nonzero position, without first reading
at position 0, leaks uninitialized memory to userspace.

It's a bit tricky to do this, since lseek() and pread() aren't allowed
on these files, and write() doesn't update the position on them.  But
writing to them with splice() *does* update the position:

	#define _GNU_SOURCE 1
	#include <fcntl.h>
	#include <stdio.h>
	#include <unistd.h>
	int main()
	{
		int pipes[2], fd, n, i;
		char buf[32];

		pipe(pipes);
		write(pipes[1], "0", 1);
		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
		splice(pipes[0], NULL, fd, NULL, 1, 0);
		n = read(fd, buf, sizeof(buf));
		for (i = 0; i < n; i++)
			printf("%02x", buf[i]);
		printf("\n");
	}

Output:
	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30

Fix the infoleak by making simple_attr_read() always fill
simple_attr::get_buf if it hasn't been filled yet.

Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
Reported-by: Alexander Potapenko <glider@google.com>
Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-07 14:24:56 +02:00
..
9p 9p: avoid attaching writeback_fid on mmap with type PRIVATE 2020-04-07 08:07:58 +02:00
adfs fs/adfs: super: fix use-after-free bug 2020-04-06 20:26:54 +02:00
affs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
afs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
autofs4 autofs: fix a leak in autofs_expire_indirect() 2020-04-07 12:44:02 +02:00
befs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
btrfs Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents 2020-04-07 14:03:50 +02:00
cachefiles A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ceph ceph: fix dentry leak in ceph_readdir_prepopulate 2020-04-07 12:35:17 +02:00
cifs cifs: don't leak -EAGAIN for stat() during reconnect 2020-04-07 14:10:10 +02:00
coda coda: add error handling for fget 2020-04-06 20:27:22 +02:00
configfs configfs: fix a deadlock in configfs_symlink() 2020-04-07 11:49:08 +02:00
cramfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
crypto A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
debugfs debugfs: fix use-after-free on symlink traversal 2020-04-06 16:42:15 +02:00
devpts A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dlm dlm: fix invalid cluster name warning 2020-04-07 12:45:23 +02:00
ecryptfs ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66 2020-04-07 14:04:54 +02:00
efivarfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
efs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
exofs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
exportfs exportfs: fix 'passing zero to ERR_PTR()' warning 2020-04-07 13:39:20 +02:00
ext2 ext2: Adjust indentation in ext2_fill_super 2020-04-07 13:50:47 +02:00
ext4 ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() 2020-04-07 14:04:41 +02:00
f2fs f2fs: fix to do sanity check on segment bitmap of LFS curseg 2020-04-07 07:36:58 +02:00
fat fat: fix uninit-memory access for partial initialized inode 2020-04-07 14:10:21 +02:00
freevxfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fscache A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fuse fs: prevent page refcount overflow in pipe_buf_get 2020-04-07 14:09:48 +02:00
gfs2 gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache 2020-04-07 14:11:36 +02:00
hfs fs/hfs/extent.c: fix array out of bounds read of array extent 2020-04-07 12:35:57 +02:00
hfsplus hfsplus: fix return value of hfsplus_get_block() 2020-04-07 12:35:53 +02:00
hostfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hpfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hugetlbfs hugetlb: use same fault hash key for shared and private mappings 2020-04-06 18:15:12 +02:00
isofs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
jbd2 jbd2: fix data races at struct journal_head 2020-04-07 14:13:37 +02:00
jffs2 jffs2: fix use-after-free on symlink traversal 2020-04-06 16:42:13 +02:00
jfs jfs: fix bogus variable self-initialization 2020-04-07 13:41:05 +02:00
kernfs kernfs: Fix range checks in kernfs_get_target_path 2020-04-07 12:28:12 +02:00
lockd A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
logfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
minix A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ncpfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nfs NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array 2020-04-07 14:10:55 +02:00
nfs_common A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nfsd nfsd: Return EPERM, not EACCES, in some SETATTR cases 2020-04-07 12:45:30 +02:00
nilfs2 A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nls A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
notify A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ntfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ocfs2 ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() 2020-04-07 13:57:19 +02:00
omfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
openpromfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
overlayfs Revert "ovl: modify ovl_permission() to do checks on two inodes" 2020-04-07 13:49:58 +02:00
proc mm/page_alloc.c: calculate 'available' memory in a separate function 2020-04-07 13:36:28 +02:00
pstore pstore/ram: Write new dumps to start of recycled zones 2020-04-07 13:25:10 +02:00
qnx4 A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
qnx6 A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
quota fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long 2020-04-07 13:23:11 +02:00
ramfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
reiserfs reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() 2020-04-07 13:57:23 +02:00
romfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sdcardfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sdfat A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
squashfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sysfs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sysv A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
tracefs A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ubifs ubifs: Fix deadlock in concurrent bulk-read and writepage 2020-04-07 13:55:10 +02:00
udf udf: Fix incorrect final NOT_ALLOCATED (hole) extent length 2020-04-06 19:26:24 +02:00
ufs ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour 2020-04-06 18:14:41 +02:00
xfs xfs: Sanity check flags of Q_XQUOTARM call 2020-04-07 13:39:05 +02:00
aio.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
anon_inodes.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
attr.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bad_inode.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
binfmt_aout.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
binfmt_elf_fdpic.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
binfmt_elf.c binfmt_elf: switch to new creds when switching to new mm 2020-04-06 14:52:46 +02:00
binfmt_em86.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
binfmt_flat.c fs/binfmt_flat.c: make load_flat_shared_library() work 2020-04-06 19:13:44 +02:00
binfmt_misc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
binfmt_script.c exec: load_script: Do not exec truncated interpreter path 2020-04-07 09:27:31 +02:00
block_dev.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
buffer.c fs: fix guard_bio_eod to check for real EOD errors 2020-04-06 14:50:20 +02:00
char_dev.c chardev: Avoid potential use-after-free in 'chrdev_open()' 2020-04-07 13:29:29 +02:00
compat_binfmt_elf.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
compat_ioctl.c compat_ioctl: pppoe: fix PPPOEIOCSFWD handling 2020-04-06 20:28:29 +02:00
compat.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
coredump.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dax.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dcache.c fs/dcache: move security_d_instantiate() behind attaching dentry to inode 2020-04-07 09:57:56 +02:00
dcookies.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
direct-io.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dlog_hook.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
drop_caches.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
eventfd.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
eventpoll.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
exec.c sched/fair: Don't free p->numa_faults with concurrent readers 2020-04-06 20:26:24 +02:00
fcntl.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fhandle.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
file_table.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
file.c fs/file.c: initialize init_files.resize_wait 2020-04-06 14:49:46 +02:00
filesystems.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fs_pin.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fs_struct.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fs-writeback.c cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead 2020-04-07 11:58:54 +02:00
inode.c futex: Fix inode life-time issue 2020-04-07 14:17:43 +02:00
internal.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
ioctl.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.binfmt A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
libfs.c libfs: fix infoleak in simple_attr_read() 2020-04-07 14:24:56 +02:00
locks.c locks: print unsigned ino in /proc/locks 2020-04-07 13:24:39 +02:00
Makefile A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mbcache.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mount.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mpage.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
namei.c namei: only return -ECHILD from follow_dotdot_rcu() 2020-04-07 14:05:00 +02:00
namespace.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
no-block.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nsfs.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
open.c access: avoid the RCU grace period for the temporary subjective credentials 2020-04-06 20:24:58 +02:00
pipe.c fs: prevent page refcount overflow in pipe_buf_get 2020-04-07 14:09:48 +02:00
pnode.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
pnode.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
posix_acl.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
proc_namespace.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
read_write.c fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock 2020-04-06 18:47:45 +02:00
readdir.c filldir[64]: remove WARN_ON_ONCE() for bad directory entries 2020-04-07 13:23:50 +02:00
select.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
seq_file.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
signalfd.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
splice.c fs: prevent page refcount overflow in pipe_buf_get 2020-04-07 14:09:48 +02:00
stack.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
stat.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
statfs.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
super.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sync.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
timerfd.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
userfaultfd.c userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx 2020-04-06 21:09:04 +02:00
utimes.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
xattr.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30