On Tue, Aug 18, 2020 at 03:32:02AM +0200, Jann Horn wrote:
> romfs has a superblock field that limits the size of the filesystem;
> data beyond that limit is never accessed.
>
> romfs_dev_read() fetches a caller-supplied number of bytes from the
> backing device. It returns 0 on success or an error code on failure;
> therefore, its API can't represent short reads, it's all-or-nothing.
>
> However, when romfs_dev_read() detects that the requested operation
> would cross the filesystem size limit, it currently silently truncates
> the requested number of bytes. This e.g. means that when the content
> of a file with size 0x1000 starts one byte before the filesystem size
> limit, ->readpage() will only fill a single byte of the supplied page
> while leaving the rest uninitialized, leaking that uninitialized memory
> to userspace.
>
> Fix it by returning an error code instead of truncating the read when
> the requested read operation would go beyond the end of the filesystem.
>
> Cc: sta...@vger.kernel.org
> Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices
> directly")
> Signed-off-by: Jann Horn <ja...@google.com>
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
