ba869c9422
page allocated in fuse_dentry_canonical_path to be handled in fuse_dev_do_write is allocated using __get_free_pages(GFP_KERNEL). This may not return a page with data filled with 0. Now this page may not have a null terminator at all. If this happens and userspace fuse daemon screws up by passing a string to kernel which is not NULL terminated (or did not fill anything), then inside fuse driver in kernel when we try to do strlen(fuse_dev_write->kern_path->getname_kernel) on that page data -> it may give us issue with kernel paging request. Unable to handle kernel paging request at virtual address ------------[ cut here ]------------ <..> PC is at strlen+0x10/0x90 LR is at getname_kernel+0x2c/0xf4 <..> strlen+0x10/0x90 kern_path+0x28/0x4c fuse_dev_do_write+0x5b8/0x694 fuse_dev_write+0x74/0x94 do_iter_readv_writev+0x80/0xb8 do_readv_writev+0xec/0x1cc vfs_writev+0x54/0x64 SyS_writev+0x64/0xe4 el0_svc_naked+0x24/0x28 To avoid this we should ensure in case of FUSE_CANONICAL_PATH, the page is null terminated. Change-Id: I33ca7cc76b4472eaa982c67bb20685df451121f5 Bug: 75984715 [Daniel - small edit, using args size ] Signed-off-by: Daniel Rosenberg <drosen@google.com> Git-Repo: https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?h=aosp-new/android-4.9&id=4fb542f2aa1414cea5686efcf72a411b7213c375 Git-Commit: 4fb542f2aa1414cea5686efcf72a411b7213c375 Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> |
||
|---|---|---|
| .. | ||
| control.c | ||
| cuse.c | ||
| dev.c | ||
| dir.c | ||
| file.c | ||
| fuse_i.h | ||
| fuse_passthrough.h | ||
| inode.c | ||
| Kconfig | ||
| Makefile | ||
| passthrough.c | ||