• Kees Cook's avatar
    jfs: Fix usercopy whitelist for inline inode data · 961b33c2
    Kees Cook authored
    Bart Massey reported what turned out to be a usercopy whitelist false
    positive in JFS when symlink contents exceeded 128 bytes. The inline
    inode data (i_inline) is actually designed to overflow into the "extended
    area" following it (i_inline_ea) when needed. So the whitelist needed to
    be expanded to include both i_inline and i_inline_ea (the whole size
    of which is calculated internally using IDATASIZE, 256, instead of
    sizeof(i_inline), 128).
    
    $ cd /mnt/jfs
    $ touch $(perl -e 'print "B" x 250')
    $ ln -s B* b
    $ ls -l >/dev/null
    
    [  249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)!
    Reported-by: 's avatarBart Massey <bart.massey@gmail.com>
    Fixes: 8d2704d3 ("jfs: Define usercopy region in jfs_ip slab cache")
    Cc: Dave Kleikamp <shaggy@kernel.org>
    Cc: jfs-discussion@lists.sourceforge.net
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarKees Cook <keescook@chromium.org>
    961b33c2
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
acl.c Loading commit data...
file.c Loading commit data...
inode.c Loading commit data...
ioctl.c Loading commit data...
jfs_acl.h Loading commit data...
jfs_btree.h Loading commit data...
jfs_debug.c Loading commit data...
jfs_debug.h Loading commit data...
jfs_dinode.h Loading commit data...
jfs_discard.c Loading commit data...
jfs_discard.h Loading commit data...
jfs_dmap.c Loading commit data...
jfs_dmap.h Loading commit data...
jfs_dtree.c Loading commit data...
jfs_dtree.h Loading commit data...
jfs_extent.c Loading commit data...
jfs_extent.h Loading commit data...
jfs_filsys.h Loading commit data...
jfs_imap.c Loading commit data...
jfs_imap.h Loading commit data...
jfs_incore.h Loading commit data...
jfs_inode.c Loading commit data...
jfs_inode.h Loading commit data...
jfs_lock.h Loading commit data...
jfs_logmgr.c Loading commit data...
jfs_logmgr.h Loading commit data...
jfs_metapage.c Loading commit data...
jfs_metapage.h Loading commit data...
jfs_mount.c Loading commit data...
jfs_superblock.h Loading commit data...
jfs_txnmgr.c Loading commit data...
jfs_txnmgr.h Loading commit data...
jfs_types.h Loading commit data...
jfs_umount.c Loading commit data...
jfs_unicode.c Loading commit data...
jfs_unicode.h Loading commit data...
jfs_uniupr.c Loading commit data...
jfs_xattr.h Loading commit data...
jfs_xtree.c Loading commit data...
jfs_xtree.h Loading commit data...
namei.c Loading commit data...
resize.c Loading commit data...
super.c Loading commit data...
symlink.c Loading commit data...
xattr.c Loading commit data...