]>
Commit | Line | Data |
---|---|---|
68145b3f TL |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Valentin Vidic <vvidic@valentin-vidic.from.hr> | |
3 | Date: Mon, 27 Sep 2021 17:44:59 +0200 | |
4 | Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen | |
5 | ||
6 | Starting with kernel v5.11 mouting an ocfs2 filesystem with either o2cb | |
7 | or pcmk cluster stack fails with the trace below. Problem seems to be | |
8 | that strings for cluster stack and cluster name are not guaranteed to be | |
9 | null terminated in the disk representation, while strlcpy assumes that | |
10 | the source string is always null terminated. This causes a read outside | |
11 | of the source string triggering the buffer overflow detection. | |
12 | ||
13 | detected buffer overflow in strlen | |
14 | ------------[ cut here ]------------ | |
15 | kernel BUG at lib/string.c:1149! | |
16 | invalid opcode: 0000 [#1] SMP PTI | |
17 | CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 | |
18 | Debian 5.14.6-2 | |
19 | RIP: 0010:fortify_panic+0xf/0x11 | |
20 | ... | |
21 | Call Trace: | |
22 | ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] | |
23 | ocfs2_fill_super+0x359/0x19b0 [ocfs2] | |
24 | mount_bdev+0x185/0x1b0 | |
25 | ? ocfs2_remount+0x440/0x440 [ocfs2] | |
26 | legacy_get_tree+0x27/0x40 | |
27 | vfs_get_tree+0x25/0xb0 | |
28 | path_mount+0x454/0xa20 | |
29 | __x64_sys_mount+0x103/0x140 | |
30 | do_syscall_64+0x3b/0xc0 | |
31 | entry_SYSCALL_64_after_hwframe+0x44/0xae | |
32 | ||
33 | Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr> | |
34 | Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> | |
35 | --- | |
36 | fs/ocfs2/super.c | 10 ++++++---- | |
37 | 1 file changed, 6 insertions(+), 4 deletions(-) | |
38 | ||
39 | diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c | |
40 | index c86bd4e60e20..1dea535224df 100644 | |
41 | --- a/fs/ocfs2/super.c | |
42 | +++ b/fs/ocfs2/super.c | |
43 | @@ -2169,9 +2169,10 @@ static int ocfs2_initialize_super(struct super_block *sb, | |
44 | if (ocfs2_clusterinfo_valid(osb)) { | |
45 | osb->osb_stackflags = | |
46 | OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; | |
47 | - strlcpy(osb->osb_cluster_stack, | |
48 | + memcpy(osb->osb_cluster_stack, | |
49 | OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, | |
50 | - OCFS2_STACK_LABEL_LEN + 1); | |
51 | + OCFS2_STACK_LABEL_LEN); | |
52 | + osb->osb_cluster_stack[OCFS2_STACK_LABEL_LEN] = '\0'; | |
53 | if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { | |
54 | mlog(ML_ERROR, | |
55 | "couldn't mount because of an invalid " | |
56 | @@ -2180,9 +2181,10 @@ static int ocfs2_initialize_super(struct super_block *sb, | |
57 | status = -EINVAL; | |
58 | goto bail; | |
59 | } | |
60 | - strlcpy(osb->osb_cluster_name, | |
61 | + memcpy(osb->osb_cluster_name, | |
62 | OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, | |
63 | - OCFS2_CLUSTER_NAME_LEN + 1); | |
64 | + OCFS2_CLUSTER_NAME_LEN); | |
65 | + osb->osb_cluster_name[OCFS2_CLUSTER_NAME_LEN] = '\0'; | |
66 | } else { | |
67 | /* The empty string is identical with classic tools that | |
68 | * don't know about s_cluster_info. */ |