Skip to content

Commit

Permalink
linux-esx: tarfs: fixes buffer overflow from strlen()
Browse files Browse the repository at this point in the history
- If strlen(buffer) and buffer size is 100
and if buffer consist of non-null terminating
100bytes then __fortify_strlen() detects buffer
overflow and hit BUG() in kernel code.

[  496.370015] detected buffer overflow in __fortify_strlen
[  496.370079] ------------[ cut here ]------------
[  496.370081] kernel BUG at lib/string_helpers.c:1027!
[  496.370101] invalid opcode: 0000 [#1] SMP PTI
[  496.370111] CPU: 0 PID: 1179 Comm: mount Not tainted 6.1.10-6.ph5-esx #1-photon
[  496.370124] Hardware name: VMware, Inc. VMware7,1/440BX Desktop Reference Platform, BIOS VMW71.00V.9318676.B64.1807270745 07/27/2018
[  496.370146] RIP: 0010:fortify_panic+0x13/0x15

- fixes this by replacing strlen with strnlen

Change-Id: I1b7f1880789b18d89dfe5b3515779bdcb3a4bb6f
Signed-off-by: Ankit Jain <ankitja@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/20573
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Tapas Kundu <tkundu@vmware.com>
Signed-off-by: Ankit Jain <ankitja@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/21922
Reviewed-by: Ajay Kaher <akaher@vmware.com>
  • Loading branch information
jaankit authored and akaher committed Sep 19, 2023
1 parent 21b8836 commit 6d9d7ef
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 24 deletions.
43 changes: 20 additions & 23 deletions esx/0001-fs-TARFS-file-system-to-mount-TAR-archive.patch
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
From 2a0b3b52f1140111e0f4ce33f8c634e44135eafa Mon Sep 17 00:00:00 2001
From d0196e01e76746a41a923631837cb087fa9c81a9 Mon Sep 17 00:00:00 2001
From: Ankit Jain <ankitja@vmware.com>
Date: Sun, 14 Nov 2021 19:38:28 +0000
Subject: [PATCH] fs: TARFS file system to mount TAR archive
Expand All @@ -21,8 +21,8 @@ allocation for file content data.
Signed-off-by: Srinidhi Rao <srinidhir@vmware.com>
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
Signed-off-by: Ankit Jain <ankitja@vmware.com>
Signed-off-by: Bo Gan <ganb@vmware.com>
Signed-off-by: Ankit Jain <ankitja@vmware.com>
---
fs/Kconfig | 1 +
fs/Makefile | 1 +
Expand All @@ -31,8 +31,8 @@ Signed-off-by: Bo Gan <ganb@vmware.com>
fs/tarfs/README.md | 64 +++
fs/tarfs/tarfs.h | 183 +++++++++
fs/tarfs/tarfs_file_dir_ops.c | 588 ++++++++++++++++++++++++++++
fs/tarfs/tarfs_inode.c | 717 ++++++++++++++++++++++++++++++++++
8 files changed, 1587 insertions(+)
fs/tarfs/tarfs_inode.c | 714 ++++++++++++++++++++++++++++++++++
8 files changed, 1584 insertions(+)
create mode 100644 fs/tarfs/Kconfig
create mode 100644 fs/tarfs/Makefile
create mode 100644 fs/tarfs/README.md
Expand All @@ -41,10 +41,10 @@ Signed-off-by: Bo Gan <ganb@vmware.com>
create mode 100644 fs/tarfs/tarfs_inode.c

diff --git a/fs/Kconfig b/fs/Kconfig
index 2b819273bca2..e0f7208fc78f 100644
index 055c4d5f1..4450042f0 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -320,6 +320,7 @@ source "fs/erofs/Kconfig"
@@ -321,6 +321,7 @@ source "fs/erofs/Kconfig"
source "fs/vboxsf/Kconfig"
source "fs/vtar/Kconfig"
source "fs/vtarfs/Kconfig"
Expand All @@ -53,17 +53,17 @@ index 2b819273bca2..e0f7208fc78f 100644
endif # MISC_FILESYSTEMS

diff --git a/fs/Makefile b/fs/Makefile
index 91ba9d65aceb..a2ae3527b25c 100644
index b675a2067..75aed184b 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -140,3 +140,4 @@ obj-$(CONFIG_VBOXSF_FS) += vboxsf/
@@ -139,3 +139,4 @@ obj-$(CONFIG_VBOXSF_FS) += vboxsf/
obj-$(CONFIG_ZONEFS_FS) += zonefs/
obj-$(CONFIG_VTAR) += vtar/
obj-$(CONFIG_VTARFS) += vtarfs/
+obj-$(CONFIG_TARFS) += tarfs/
diff --git a/fs/tarfs/Kconfig b/fs/tarfs/Kconfig
new file mode 100644
index 000000000000..ff60b7e091d8
index 000000000..ff60b7e09
--- /dev/null
+++ b/fs/tarfs/Kconfig
@@ -0,0 +1,18 @@
Expand All @@ -87,7 +87,7 @@ index 000000000000..ff60b7e091d8
+ module will be called tarfs. If unsure, say N.
diff --git a/fs/tarfs/Makefile b/fs/tarfs/Makefile
new file mode 100644
index 000000000000..592e207bb3b5
index 000000000..592e207bb
--- /dev/null
+++ b/fs/tarfs/Makefile
@@ -0,0 +1,15 @@
Expand All @@ -108,7 +108,7 @@ index 000000000000..592e207bb3b5
+ make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
diff --git a/fs/tarfs/README.md b/fs/tarfs/README.md
new file mode 100644
index 000000000000..2a816e9ff7e1
index 000000000..2a816e9ff
--- /dev/null
+++ b/fs/tarfs/README.md
@@ -0,0 +1,64 @@
Expand Down Expand Up @@ -178,7 +178,7 @@ index 000000000000..2a816e9ff7e1
+
diff --git a/fs/tarfs/tarfs.h b/fs/tarfs/tarfs.h
new file mode 100644
index 000000000000..911bd20fbc21
index 000000000..911bd20fb
--- /dev/null
+++ b/fs/tarfs/tarfs.h
@@ -0,0 +1,183 @@
Expand Down Expand Up @@ -367,7 +367,7 @@ index 000000000000..911bd20fbc21
+#endif
diff --git a/fs/tarfs/tarfs_file_dir_ops.c b/fs/tarfs/tarfs_file_dir_ops.c
new file mode 100644
index 000000000000..41fa448a041a
index 000000000..41fa448a0
--- /dev/null
+++ b/fs/tarfs/tarfs_file_dir_ops.c
@@ -0,0 +1,588 @@
Expand Down Expand Up @@ -961,10 +961,10 @@ index 000000000000..41fa448a041a
+EXPORT_SYMBOL_GPL(tarfs_bmap);
diff --git a/fs/tarfs/tarfs_inode.c b/fs/tarfs/tarfs_inode.c
new file mode 100644
index 000000000000..89e4a6397639
index 000000000..4231476f3
--- /dev/null
+++ b/fs/tarfs/tarfs_inode.c
@@ -0,0 +1,717 @@
@@ -0,0 +1,714 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Filesystem to directly mount tar archive.
Expand Down Expand Up @@ -1136,18 +1136,15 @@ index 000000000000..89e4a6397639
+ } else {
+ name_end = memchr(header->name, 0, sizeof(header->name));
+ if (!name_end) {
+ tarfs_err("Header name is not proper [%s][%ld][%ld], name_end is NULL!!",
+ header->name, sizeof(header->name), strlen(header->name));
+ /*
+ * Handle the case where header->name is exact 100 bytes long and
+ * thus there is no '\0' char and mode bytes gets appended to header->name
+ * Handle the case where header->name is exact 100 bytes long or more
+ */
+ if ((strlen(header->name) > sizeof(header->name)) &&
+ (memcmp(header->name + sizeof(header->name),
+ header->mode, sizeof(header->mode)) == 0)) {
+ if (strnlen(header->name, sizeof(header->name)) == sizeof(header->name)) {
+ tarfs_info("Header name is exact 100 bytes long!! Handling it properly!!");
+ name_end = header->name + sizeof(header->name);
+ } else {
+ tarfs_err("Header name is not proper [%s][%ld][%ld], name_end is NULL!!",
+ header->name, sizeof(header->name), strnlen(header->name, sizeof(header->name)));
+ return NULL;
+ }
+ }
Expand Down Expand Up @@ -1683,5 +1680,5 @@ index 000000000000..89e4a6397639
+MODULE_AUTHOR("VMware Photon OS : Ankit Jain <ankitja@vmware.com>");
+MODULE_AUTHOR("VMware Photon OS : Ashwin Dayanand Kamat <kashwindayan@vmware.com>");
--
2.25.1
2.23.1

4 changes: 3 additions & 1 deletion linux-esx.spec
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
Summary: Kernel
Name: linux-esx
Version: 6.1.10
Release: 12%{?kat_build:.kat}%{?dist}
Release: 13%{?kat_build:.kat}%{?dist}
License: GPLv2
URL: http://www.kernel.org
Group: System Environment/Kernel
Expand Down Expand Up @@ -500,6 +500,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
%{_usrsrc}/linux-headers-%{uname_r}

%changelog
* Tue Sep 19 2023 Ankit Jain <ankitja@vmware.com> 6.1.10-13
- tarfs: fixes buffer overflow
* Mon Jul 17 2023 Keerthana K <keerthanak@vmware.com> 6.1.10-12
- Use canister version 5.0.0-6.1.37-2
* Tue Jul 11 2023 Shreenidhi Shedi <sshedi@vmware.com> 6.1.10-11
Expand Down

0 comments on commit 6d9d7ef

Please sign in to comment.