linux-stable

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-25 16:49:33 +10:00

History

Li Nan 0f63fbabea efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare [ Upstream commit `a6358f8cf6` ] Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp. Fixes: `da27a24383` ("efivarfs: guid part of filenames are case-insensitive") Signed-off-by: Li Nan <linan122@huawei.com> Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2025-09-04 14:05:55 +02:00
..
9p
adfs
affs	affs: don't write overlarge OFS data block size fields	2025-04-10 14:29:42 +02:00
afs	afs: Fix directory format encoding struct	2025-03-13 12:42:52 +01:00
autofs
befs
bfs
btrfs	btrfs: populate otime when logging an inode item	2025-08-28 16:21:35 +02:00
cachefiles
ceph	ceph: fix possible integer overflow in ceph_zero_objects()	2025-07-17 18:24:50 +02:00
cifs	cifs: Fix UAF in cifs_demultiplex_thread()	2025-08-28 16:21:36 +02:00
coda
configfs	configfs: Do not override creating attribute file failure in populate_attrs()	2025-06-27 11:02:50 +01:00
cramfs
crypto
debugfs
devpts
dlm
ecryptfs
efivarfs	efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare	2025-09-04 14:05:55 +02:00
efs
erofs	erofs: fix incorrect symlink detection in fast symlink	2025-01-09 13:23:27 +01:00
exportfs
ext2
ext4	ext4: fix reserved gdt blocks handling in fsmap	2025-08-28 16:21:31 +02:00
f2fs	f2fs: fix to avoid out-of-boundary access in dnode page	2025-08-28 16:21:35 +02:00
fat	fat: fix uninitialized variable	2024-11-08 16:20:47 +01:00
freevxfs
fscache
fuse	virtiofs: add filesystem context source name check	2025-05-02 07:39:21 +02:00
gfs2	gfs2: move msleep to sleepable context	2025-06-27 11:02:50 +01:00
hfs	hfs: fix not erasing deleted b-tree node issue	2025-08-28 16:21:24 +02:00
hfsplus	hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()	2025-08-28 16:21:24 +02:00
hostfs
hpfs
hugetlbfs	mm: update memfd seal write check to include F_SEAL_WRITE	2025-08-28 16:21:36 +02:00
iomap
isofs	isofs: Verify inode mode when loading from disk	2025-08-28 16:21:15 +02:00
jbd2	jbd2: prevent softlockup in jbd2_log_do_checkpoint()	2025-08-28 16:21:31 +02:00
jffs2	jffs2: check jffs2_prealloc_raw_node_refs() result in few other places	2025-06-27 11:02:56 +01:00
jfs	jfs: upper bound check of tree index in dbAllocAG	2025-08-28 16:21:28 +02:00
kernfs
lockd
minix
nfs	nfs: fix UAF in direct writes	2025-08-28 16:21:37 +02:00
nfs_common
nfsd	nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()	2025-08-28 16:21:34 +02:00
nilfs2	nilfs2: reject invalid file types when reading inodes	2025-08-28 16:21:18 +02:00
nls
notify
ntfs
ocfs2	ocfs2: stop quota recovery before disabling quotas	2025-06-04 14:32:27 +02:00
omfs
openpromfs
orangefs	fs/orangefs: use snprintf() instead of sprintf()	2025-08-28 16:21:27 +02:00
overlayfs	ovl: Check for NULL d_inode() in ovl_dentry_upper()	2025-07-17 18:24:51 +02:00
proc	fix proc_sys_compare() handling of in-lookup dentries	2025-07-17 18:25:01 +02:00
pstore
qnx4
qnx6
quota	quota: flush quota_release_work upon quota writeback	2024-12-14 19:44:42 +01:00
ramfs
reiserfs
romfs
squashfs	squashfs: fix memory leak in squashfs_fill_super	2025-08-28 16:21:32 +02:00
sysfs
sysv
tracefs
ubifs	ubifs: skip dumping tnc tree when zroot is null	2025-03-13 12:42:59 +01:00
udf	udf: Verify partition map count	2025-08-28 16:21:24 +02:00
ufs
unicode	Revert "unicode: Don't special case ignorable code points"	2024-12-14 19:44:55 +01:00
verity
xfs	xfs: don't drop errno values when we fail to ficlone the entire range	2024-12-19 18:05:03 +01:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c
binfmt_em86.c
binfmt_flat.c	binfmt_flat: Fix integer overflow bug on 32 bit systems	2025-03-13 12:43:07 +01:00
binfmt_misc.c
binfmt_script.c
block_dev.c
buffer.c	fs/buffer: fix use-after-free when call bh_read() helper	2025-08-28 16:21:32 +02:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
compat.c
coredump.c	coredump: hand a pidfd to the usermode coredump helper	2025-06-04 14:32:36 +02:00
d_path.c
dax.c
dcache.c
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c	epoll: Add synchronous wakeup support for ep_poll_callback	2025-01-09 13:23:32 +01:00
exec.c
fcntl.c
fhandle.c
file_table.c
file.c	alloc_fdtable(): change calling conventions.	2025-08-28 16:21:37 +02:00
filesystems.c	fs/filesystems: Fix potential unsigned integer underflow in fs_name()	2025-06-27 11:02:50 +01:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
fsopen.c
inode.c
internal.h
io_uring.c
ioctl.c
Kconfig	nfs: add missing selections of CONFIG_CRC32	2025-05-02 07:39:20 +02:00
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c
mount.h
mpage.c
namei.c	fuse: don't truncate cached, mutated symlink	2025-04-10 14:29:36 +02:00
namespace.c	use uniform permission checks for all mount propagation changes	2025-08-28 16:21:32 +02:00
no-block.c
nsfs.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c
sync.c
timerfd.c
userfaultfd.c
utimes.c
xattr.c