From 61ba8417158e9747c162fb2c6c7bfbc6df18d5af Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 30 Sep 2021 13:46:48 +0200 Subject: [PATCH] bump version to 5.11.22-10+ocfs2+1 Signed-off-by: Thomas Lamprecht --- ...fails-with-buffer-overflow-in-strlen.patch | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch diff --git a/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch b/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch new file mode 100644 index 0000000..6184a20 --- /dev/null +++ b/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch @@ -0,0 +1,76 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Wed, 29 Sep 2021 20:06:54 +0200 +Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen + +Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an +ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the +trace below. Problem seems to be that strings for cluster stack and +cluster name are not guaranteed to be null terminated in the disk +representation, while strlcpy assumes that the source string is always +null terminated. This causes a read outside of the source string +triggering the buffer overflow detection. + +detected buffer overflow in strlen +------------[ cut here ]------------ +kernel BUG at lib/string.c:1149! +invalid opcode: 0000 [#1] SMP PTI +CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 + Debian 5.14.6-2 +RIP: 0010:fortify_panic+0xf/0x11 +... +Call Trace: + ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] + ocfs2_fill_super+0x359/0x19b0 [ocfs2] + mount_bdev+0x185/0x1b0 + ? ocfs2_remount+0x440/0x440 [ocfs2] + legacy_get_tree+0x27/0x40 + vfs_get_tree+0x25/0xb0 + path_mount+0x454/0xa20 + __x64_sys_mount+0x103/0x140 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Valentin Vidic +Reviewed-by: Joseph Qi +Signed-off-by: Thomas Lamprecht +--- + fs/ocfs2/super.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index 2febc76e9de7..435f82892432 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2171,11 +2171,17 @@ static int ocfs2_initialize_super(struct super_block *sb, + } + + if (ocfs2_clusterinfo_valid(osb)) { ++ /* ++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null ++ * terminated, so make sure no overflow happens here by using ++ * memcpy. Destination strings will always be null terminated ++ * because osb is allocated using kzalloc. ++ */ + osb->osb_stackflags = + OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; +- strlcpy(osb->osb_cluster_stack, ++ memcpy(osb->osb_cluster_stack, + OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, +- OCFS2_STACK_LABEL_LEN + 1); ++ OCFS2_STACK_LABEL_LEN); + if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { + mlog(ML_ERROR, + "couldn't mount because of an invalid " +@@ -2184,9 +2190,9 @@ static int ocfs2_initialize_super(struct super_block *sb, + status = -EINVAL; + goto bail; + } +- strlcpy(osb->osb_cluster_name, ++ memcpy(osb->osb_cluster_name, + OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, +- OCFS2_CLUSTER_NAME_LEN + 1); ++ OCFS2_CLUSTER_NAME_LEN); + } else { + /* The empty string is identical with classic tools that + * don't know about s_cluster_info. */