From: Thomas Lamprecht Date: Mon, 18 Oct 2021 12:04:10 +0000 (+0200) Subject: backport "ocfs2: mount fails with buffer overflow in strlen" X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=68145b3f8417038e4dc81ca5aafb2679933484c0;p=pve-kernel.git backport "ocfs2: mount fails with buffer overflow in strlen" we've got good feedback from customers and the patch got two R-b's and no NAK or the like upstream: https://lore.kernel.org/all/20210929180654.32460-1-vvidic@valentin-vidic.from.hr/t/ Signed-off-by: Thomas Lamprecht --- diff --git a/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch b/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch new file mode 100644 index 0000000..b01e25b --- /dev/null +++ b/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Mon, 27 Sep 2021 17:44:59 +0200 +Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen + +Starting with kernel v5.11 mouting an ocfs2 filesystem with either o2cb +or pcmk cluster stack fails with the trace below. Problem seems to be +that strings for cluster stack and cluster name are not guaranteed to be +null terminated in the disk representation, while strlcpy assumes that +the source string is always null terminated. This causes a read outside +of the source string triggering the buffer overflow detection. + +detected buffer overflow in strlen +------------[ cut here ]------------ +kernel BUG at lib/string.c:1149! +invalid opcode: 0000 [#1] SMP PTI +CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 + Debian 5.14.6-2 +RIP: 0010:fortify_panic+0xf/0x11 +... +Call Trace: + ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] + ocfs2_fill_super+0x359/0x19b0 [ocfs2] + mount_bdev+0x185/0x1b0 + ? ocfs2_remount+0x440/0x440 [ocfs2] + legacy_get_tree+0x27/0x40 + vfs_get_tree+0x25/0xb0 + path_mount+0x454/0xa20 + __x64_sys_mount+0x103/0x140 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Valentin Vidic +Signed-off-by: Thomas Lamprecht +--- + fs/ocfs2/super.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index c86bd4e60e20..1dea535224df 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2169,9 +2169,10 @@ static int ocfs2_initialize_super(struct super_block *sb, + if (ocfs2_clusterinfo_valid(osb)) { + osb->osb_stackflags = + OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; +- strlcpy(osb->osb_cluster_stack, ++ memcpy(osb->osb_cluster_stack, + OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, +- OCFS2_STACK_LABEL_LEN + 1); ++ OCFS2_STACK_LABEL_LEN); ++ osb->osb_cluster_stack[OCFS2_STACK_LABEL_LEN] = '\0'; + if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { + mlog(ML_ERROR, + "couldn't mount because of an invalid " +@@ -2180,9 +2181,10 @@ static int ocfs2_initialize_super(struct super_block *sb, + status = -EINVAL; + goto bail; + } +- strlcpy(osb->osb_cluster_name, ++ memcpy(osb->osb_cluster_name, + OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, +- OCFS2_CLUSTER_NAME_LEN + 1); ++ OCFS2_CLUSTER_NAME_LEN); ++ osb->osb_cluster_name[OCFS2_CLUSTER_NAME_LEN] = '\0'; + } else { + /* The empty string is identical with classic tools that + * don't know about s_cluster_info. */