• Kees Cook's avatar
    jfs: Fix usercopy whitelist for inline inode data · 961b33c2
    Kees Cook authored
    Bart Massey reported what turned out to be a usercopy whitelist false
    positive in JFS when symlink contents exceeded 128 bytes. The inline
    inode data (i_inline) is actually designed to overflow into the "extended
    area" following it (i_inline_ea) when needed. So the whitelist needed to
    be expanded to include both i_inline and i_inline_ea (the whole size
    of which is calculated internally using IDATASIZE, 256, instead of
    sizeof(i_inline), 128).
    
    $ cd /mnt/jfs
    $ touch $(perl -e 'print "B" x 250')
    $ ln -s B* b
    $ ls -l >/dev/null
    
    [  249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)!
    Reported-by: default avatarBart Massey <bart.massey@gmail.com>
    Fixes: 8d2704d3 ("jfs: Define usercopy region in jfs_ip slab cache")
    Cc: Dave Kleikamp <shaggy@kernel.org>
    Cc: jfs-discussion@lists.sourceforge.net
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    961b33c2
jfs_dinode.h 5.75 KB