diff options
author | Ritesh Harjani <riteshh@codeaurora.org> | 2018-03-19 16:03:09 +0530 |
---|---|---|
committer | Amit Pundir <amit.pundir@linaro.org> | 2018-05-20 16:40:16 +0530 |
commit | eab5b7eaae99f4090d458ed93a21e78662691319 (patch) | |
tree | 92b78edc01f9733fcca717aa5134e1f0220e34e4 /fs/fuse | |
parent | ccce1028fa2278a1f887d2114ab13be7a51dd70a (diff) |
ANDROID: fuse: Add null terminator to path in canonical path to avoid issue
page allocated in fuse_dentry_canonical_path to be handled in
fuse_dev_do_write is allocated using __get_free_pages(GFP_KERNEL).
This may not return a page with data filled with 0. Now this
page may not have a null terminator at all.
If this happens and userspace fuse daemon screws up by passing a string
to kernel which is not NULL terminated (or did not fill anything),
then inside fuse driver in kernel when we try to do
strlen(fuse_dev_write->kern_path->getname_kernel)
on that page data -> it may give us issue with kernel paging request.
Unable to handle kernel paging request at virtual address
------------[ cut here ]------------
<..>
PC is at strlen+0x10/0x90
LR is at getname_kernel+0x2c/0xf4
<..>
strlen+0x10/0x90
kern_path+0x28/0x4c
fuse_dev_do_write+0x5b8/0x694
fuse_dev_write+0x74/0x94
do_iter_readv_writev+0x80/0xb8
do_readv_writev+0xec/0x1cc
vfs_writev+0x54/0x64
SyS_writev+0x64/0xe4
el0_svc_naked+0x24/0x28
To avoid this we should ensure in case of FUSE_CANONICAL_PATH,
the page is null terminated.
Change-Id: I33ca7cc76b4472eaa982c67bb20685df451121f5
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>
Bug: 75984715
[Daniel - small edit, using args size ]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Diffstat (limited to 'fs/fuse')
-rw-r--r-- | fs/fuse/dev.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index fbfec06b054d..d0ab1a34a6d2 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1941,8 +1941,10 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud, err = copy_out_args(cs, &req->out, nbytes); if (req->in.h.opcode == FUSE_CANONICAL_PATH) { - req->out.h.error = kern_path((char *)req->out.args[0].value, 0, - req->canonical_path); + char *path = (char *)req->out.args[0].value; + + path[req->out.args[0].size - 1] = 0; + req->out.h.error = kern_path(path, 0, req->canonical_path); } fuse_copy_finish(cs); |