[prev in list] [next in list] [prev in thread] [next in thread]
List: kernel-janitors
Subject: Re: [PATCH] btrfs: prevent potential out of bounds in btrfs_ioctl_snap_create_v2()
From: David Sterba <dsterba () suse ! cz>
Date: 2021-02-22 19:33:03
Message-ID: 20210222193302.GT1993 () suse ! cz
[Download RAW message or body]
On Wed, Feb 17, 2021 at 09:04:34AM +0300, Dan Carpenter wrote:
> The problem is we're copying "inherit" from user space but we don't
> necessarily know that we're copying enough data for a 64 byte
> struct. Then the next problem is that "inherit" has a variable size
> array at the end, and we have to verify that array is the size we
> expected.
>
> Fixes: 6f72c7e20dba: ("Btrfs: add qgroup inheritance")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Presumably only root can create snapshots.
Well, no. After first analysis there are some "interesting memory access
patterns" possible, with a crafted data in the inherit member.
> Anyway, I have not tested
> this fix. I believe it is correct, of course. But perhaps it's best
> to check.
Yeah I'll write a test also to see where exactly the issues are. Thanks
for the report/fix.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic