]> git.baikalelectronics.ru Git - kernel.git/commitdiff
net/9p: validate fds in p9_fd_open
authorChristoph Hellwig <hch@lst.de>
Fri, 10 Jul 2020 08:57:22 +0000 (10:57 +0200)
committerDominique Martinet <asmadeus@codewreck.org>
Sun, 19 Jul 2020 12:58:29 +0000 (14:58 +0200)
p9_fd_open just fgets file descriptors passed in from userspace, but
doesn't verify that they are valid for read or writing.  This gets
cought down in the VFS when actually attempting a read or write, but
a new warning added in linux-next upsets syzcaller.

Fix this by just verifying the fds early on.

Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de
Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com
Signed-off-by: Christoph Hellwig <hch@lst.de>
[Dominique: amend goto as per Doug Nazar's review]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
net/9p/trans_fd.c

index 13cd683a658ab67b38aa26bd0195f23113707e29..9c9196d30a59f1ca74ef6ef3e5a2dbe7ce27b335 100644 (file)
@@ -803,20 +803,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
                return -ENOMEM;
 
        ts->rd = fget(rfd);
+       if (!ts->rd)
+               goto out_free_ts;
+       if (!(ts->rd->f_mode & FMODE_READ))
+               goto out_put_rd;
        ts->wr = fget(wfd);
-       if (!ts->rd || !ts->wr) {
-               if (ts->rd)
-                       fput(ts->rd);
-               if (ts->wr)
-                       fput(ts->wr);
-               kfree(ts);
-               return -EIO;
-       }
+       if (!ts->wr)
+               goto out_put_rd;
+       if (!(ts->wr->f_mode & FMODE_WRITE))
+               goto out_put_wr;
 
        client->trans = ts;
        client->status = Connected;
 
        return 0;
+
+out_put_wr:
+       fput(ts->wr);
+out_put_rd:
+       fput(ts->rd);
+out_free_ts:
+       kfree(ts);
+       return -EIO;
 }
 
 static int p9_socket_open(struct p9_client *client, struct socket *csocket)