• Jann Horn's avatar
    romfs: fix uninitialized memory leak in romfs_dev_read() · bcf85fce
    Jann Horn authored
    romfs has a superblock field that limits the size of the filesystem; data
    beyond that limit is never accessed.
    
    romfs_dev_read() fetches a caller-supplied number of bytes from the
    backing device.  It returns 0 on success or an error code on failure;
    therefore, its API can't represent short reads, it's all-or-nothing.
    
    However, when romfs_dev_read() detects that the requested operation would
    cross the filesystem size limit, it currently silently truncates the
    requested number of bytes.  This e.g.  means that when the content of a
    file with size 0x1000 starts one byte before the filesystem size limit,
    ->readpage() will only fill a single byte of the supplied page while
    leaving the rest uninitialized, leaking that uninitialized memory to
    userspace.
    
    Fix it by returning an error code instead of truncating the read when the
    requested read operation would go beyond the end of the filesystem.
    
    Fixes: da4458bd ("NOMMU: Make it possible for RomFS to use MTD devices directly")
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: David Howells <dhowells@redhat.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    bcf85fce
storage.c 6.12 KB