]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit
romfs: fix uninitialized memory leak in romfs_dev_read()
authorJann Horn <jannh@google.com>
Fri, 21 Aug 2020 00:42:11 +0000 (17:42 -0700)
committerKhalid Elmously <khalid.elmously@canonical.com>
Wed, 16 Sep 2020 09:13:26 +0000 (05:13 -0400)
commit50a53aadf2e5641a0a7fcd3d19aecaa24b6ee7c5
tree46126e99b80a4e9e03bee392a0e9c211fe922077
parent6cd66c8e0483c964000a7da9fbd8d85908fe940f
romfs: fix uninitialized memory leak in romfs_dev_read()

BugLink: https://bugs.launchpad.net/bugs/1893115
commit bcf85fcedfdd17911982a3e3564fcfec7b01eebd upstream.

romfs has a superblock field that limits the size of the filesystem; data
beyond that limit is never accessed.

romfs_dev_read() fetches a caller-supplied number of bytes from the
backing device.  It returns 0 on success or an error code on failure;
therefore, its API can't represent short reads, it's all-or-nothing.

However, when romfs_dev_read() detects that the requested operation would
cross the filesystem size limit, it currently silently truncates the
requested number of bytes.  This e.g.  means that when the content of a
file with size 0x1000 starts one byte before the filesystem size limit,
->readpage() will only fill a single byte of the supplied page while
leaving the rest uninitialized, leaking that uninitialized memory to
userspace.

Fix it by returning an error code instead of truncating the read when the
requested read operation would go beyond the end of the filesystem.

Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
fs/romfs/storage.c