[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kernel-janitors
Subject:    Re: [PATCH] btrfs: prevent potential out of bounds in btrfs_ioctl_snap_create_v2()
From:       David Sterba <dsterba () suse ! cz>
Date:       2021-02-22 19:33:03
Message-ID: 20210222193302.GT1993 () suse ! cz
[Download RAW message or body]

On Wed, Feb 17, 2021 at 09:04:34AM +0300, Dan Carpenter wrote:
> The problem is we're copying "inherit" from user space but we don't
> necessarily know that we're copying enough data for a 64 byte
> struct.  Then the next problem is that "inherit" has a variable size
> array at the end, and we have to verify that array is the size we
> expected.
> 
> Fixes: 6f72c7e20dba: ("Btrfs: add qgroup inheritance")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Presumably only root can create snapshots.

Well, no. After first analysis there are some "interesting memory access
patterns" possible, with a crafted data in the inherit member.

> Anyway, I have not tested
> this fix.  I believe it is correct, of course.  But perhaps it's best
> to check.

Yeah I'll write a test also to see where exactly the issues are. Thanks
for the report/fix.
[prev in list] [next in list] [prev in thread] [next in thread]