The parse_reply_info_dir() logic tries to parse
a dir fragment:
struct ceph_mds_reply_dirfrag {
__le32 frag; /* fragment */
__le32 auth; /* auth mds, if this is a delegation point */
__le32 ndist; /* number of mds' this is replicated on */
__le32 dist[];
} __attribute__ ((packed));
Potentially, ndist field could be corrupted or to have
invalid or malicious value. As a result, this logic
could result in overflow:
*p += sizeof(**dirfrag) + sizeof(u32) * le32_to_cpu((*dirfrag)->ndist);
Al Viro suggested the initial vision of the fix.
The suggested fix was partially reworked.
This patch adds the checking that ndist is not bigger
than (U32_MAX / sizeof(u32)) and to check that we have
enough space in memory buffer by means of ceph_decode_need().
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
cc: Alex Markuze <amarkuze@redhat.com>
cc: Ilya Dryomov <idryomov@gmail.com>
cc: Ceph Development <ceph-devel@vger.kernel.org>
struct ceph_mds_reply_dirfrag **dirfrag,
u64 features)
{
+ size_t item_size = sizeof(u32);
+ size_t dirfrag_size;
+ u32 ndist;
+ u32 array_size;
+
if (features == (u64)-1) {
u8 struct_v, struct_compat;
u32 struct_len;
end = *p + struct_len;
}
- ceph_decode_need(p, end, sizeof(**dirfrag), bad);
+ dirfrag_size = sizeof(**dirfrag);
+ ceph_decode_need(p, end, dirfrag_size, bad);
*dirfrag = *p;
- *p += sizeof(**dirfrag) + sizeof(u32) * le32_to_cpu((*dirfrag)->ndist);
- if (unlikely(*p > end))
+ *p += dirfrag_size;
+ ndist = le32_to_cpu((*dirfrag)->ndist);
+ if (unlikely(ndist > (U32_MAX / item_size)))
goto bad;
+ array_size = ndist * item_size;
+ ceph_decode_need(p, end, array_size, bad);
+ *p += array_size;
if (features == (u64)-1)
*p = end;
return 0;
projects / ceph-client.git / commitdiff