From patchwork Mon Jan 21 16:27:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Leitao X-Patchwork-Id: 10774173 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B5065139A for ; Mon, 21 Jan 2019 16:27:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A51ED29D29 for ; Mon, 21 Jan 2019 16:27:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9931E2A3C2; Mon, 21 Jan 2019 16:27:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0433829D29 for ; Mon, 21 Jan 2019 16:27:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730131AbfAUQ1t (ORCPT ); Mon, 21 Jan 2019 11:27:49 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48236 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727205AbfAUQ1s (ORCPT ); Mon, 21 Jan 2019 11:27:48 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0LGOQBS133127 for ; Mon, 21 Jan 2019 11:27:47 -0500 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0a-001b2d01.pphosted.com with ESMTP id 2q5etd8641-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 21 Jan 2019 11:27:47 -0500 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 21 Jan 2019 16:27:46 -0000 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 21 Jan 2019 16:27:43 -0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x0LGRgrN18415866 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 21 Jan 2019 16:27:42 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 86F10112065; Mon, 21 Jan 2019 16:27:42 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 83F38112069; Mon, 21 Jan 2019 16:27:41 +0000 (GMT) Received: from debra.ibm.com (unknown [9.85.194.99]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 21 Jan 2019 16:27:41 +0000 (GMT) From: Breno Leitao To: linux-fsdevel@vger.kernel.org Cc: Breno Leitao Subject: [PATCH] fs: Abort if a module symbol is too long Date: Mon, 21 Jan 2019 14:27:40 -0200 X-Mailer: git-send-email 1.8.3.1 X-TM-AS-GCONF: 00 x-cbid: 19012116-0068-0000-0000-000003862455 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010448; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000275; SDB=6.01149735; UDB=6.00599101; IPR=6.00930059; MB=3.00025224; MTD=3.00000008; XFM=3.00000015; UTC=2019-01-21 16:27:44 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19012116-0069-0000-0000-00004736EE13 Message-Id: <1548088060-25496-1-git-send-email-leitao@debian.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-21_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=566 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901210129 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If a user tries to mount, using mount(2), a file system with an invalid size, as in the following example, WARN_ONCE() is called: #define MAX 4096*10 char buffer[MAX]; memset(&buffer, 0xff, 4096*100); syscall(SYS_mount, "/tmp/foo", "/tmp/bar", &buffer, 0x0, NULL); This simple example can call WARN_ONCE() that dumps the whole CPU register set to the log buffer, which is undesired, since it dumps internal CPU states. precision 56029 too large WARNING: CPU: 1 PID: 17377 at lib/vsprintf.c:2293 set_precision+0xa0/0xc0 Modules linked in: binfmt_misc ghash_generic gf128mul ecb xts ctr evdev cbc vmx_crypto virtio_balloon ip_tables x_tables autofs4 hid_generic usbhid hid ext4 crc16 mbcache jbd2 fscrypto crc32c_generic ohci_pci ehci_pci ohci_hcd ehci_hcd usbcore ibmvscsi scsi_transport_srp CPU: 1 PID: 17377 Comm: trinity-c10 Not tainted 5.0.0-rc1-00003-g9655f21d217a #960 NIP: c0000000009cd820 LR: c0000000009cd81c CTR: c0000000009d1740 REGS: c00000041d7cf7a0 TRAP: 0700 Not tainted (5.0.0-rc1-00003-g9655f21d217a) MSR: 8000000002029033 CR: 28024422 XER: 20000000 CFAR: c000000000106cc4 IRQMASK: 0 GPR00: c0000000009cd81c c00000041d7cfa30 c000000000e7d100 0000000000000019 GPR04: 0000000000000000 0000000000000009 000000006772616c 0000000000000019 GPR08: c000000000eb6dc0 0000000000000000 0000000000000000 c00000041d7cf75f GPR12: 0000000000004400 c00000003ffcf480 0000000010034c30 0000000010034c20 GPR16: 0000000000000000 0000000000000000 0000000010034c40 0000000010034808 GPR20: 0000000010985da4 0000000000000433 0000000000000003 c000000000b68d76 GPR24: c00000041d7cfc88 0000000000000025 0000000000000020 0000000000000038 GPR28: c00000041d7cfbd0 c00000041d7cfc08 c000000000b68d76 c00000041d7cfad0 NIP [c0000000009cd820] set_precision+0xa0/0xc0 LR [c0000000009cd81c] set_precision+0x9c/0xc0 Call Trace: [c00000041d7cfa30] [c0000000009cd81c] set_precision+0x9c/0xc0 (unreliable) [c00000041d7cfab0] [c0000000009d1614] vsnprintf+0x194/0x4e0 [c00000041d7cfb30] [c000000000140b2c] __request_module+0xdc/0x570 [c00000041d7cfc50] [c0000000003fd0f8] get_fs_type+0xe8/0x190 [c00000041d7cfcd0] [c0000000004033bc] do_mount+0x2ac/0x1040 [c00000041d7cfdb0] [c000000000404668] ksys_mount+0x158/0x180 [c00000041d7cfe00] [c0000000004046b0] sys_mount+0x20/0x30 [c00000041d7cfe20] [c00000000000bde4] system_call+0x5c/0x70 Instruction dump: 39400000 4bffffe0 7c0802a6 39200001 f8810068 3d42fff7 3c62ffd4 386368d8 992a5bad f8010090 4b739445 60000000 <0fe00000> e8010090 e9410068 7c0803a6 ---[ end trace 9964ee192f850a9d ]--- This path simply does not request the module if the file system name (thus module name) is bigger than MODULE_NAME_LEN. Signed-off-by: Breno Leitao --- fs/filesystems.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/filesystems.c b/fs/filesystems.c index b03f57b1105b..375abb39d073 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -264,6 +264,9 @@ struct file_system_type *get_fs_type(const char *name) const char *dot = strchr(name, '.'); int len = dot ? dot - name : strlen(name); + if (len > MODULE_NAME_LEN) + return NULL; + fs = __get_fs_type(name, len); if (!fs && (request_module("fs-%.*s", len, name) == 0)) { fs = __get_fs_type(name, len);