bump version to 5.11.22-10+ocfs2+1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht
parent
56260ce2ab
commit
61ba841715
@ -0,0 +1,76 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
|
||||||
|
Date: Wed, 29 Sep 2021 20:06:54 +0200
|
||||||
|
Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen
|
||||||
|
|
||||||
|
Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an
|
||||||
|
ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the
|
||||||
|
trace below. Problem seems to be that strings for cluster stack and
|
||||||
|
cluster name are not guaranteed to be null terminated in the disk
|
||||||
|
representation, while strlcpy assumes that the source string is always
|
||||||
|
null terminated. This causes a read outside of the source string
|
||||||
|
triggering the buffer overflow detection.
|
||||||
|
|
||||||
|
detected buffer overflow in strlen
|
||||||
|
------------[ cut here ]------------
|
||||||
|
kernel BUG at lib/string.c:1149!
|
||||||
|
invalid opcode: 0000 [#1] SMP PTI
|
||||||
|
CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
|
||||||
|
Debian 5.14.6-2
|
||||||
|
RIP: 0010:fortify_panic+0xf/0x11
|
||||||
|
...
|
||||||
|
Call Trace:
|
||||||
|
ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
|
||||||
|
ocfs2_fill_super+0x359/0x19b0 [ocfs2]
|
||||||
|
mount_bdev+0x185/0x1b0
|
||||||
|
? ocfs2_remount+0x440/0x440 [ocfs2]
|
||||||
|
legacy_get_tree+0x27/0x40
|
||||||
|
vfs_get_tree+0x25/0xb0
|
||||||
|
path_mount+0x454/0xa20
|
||||||
|
__x64_sys_mount+0x103/0x140
|
||||||
|
do_syscall_64+0x3b/0xc0
|
||||||
|
entry_SYSCALL_64_after_hwframe+0x44/0xae
|
||||||
|
|
||||||
|
Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
|
||||||
|
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
|
||||||
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||||
|
---
|
||||||
|
fs/ocfs2/super.c | 14 ++++++++++----
|
||||||
|
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
|
||||||
|
index 2febc76e9de7..435f82892432 100644
|
||||||
|
--- a/fs/ocfs2/super.c
|
||||||
|
+++ b/fs/ocfs2/super.c
|
||||||
|
@@ -2171,11 +2171,17 @@ static int ocfs2_initialize_super(struct super_block *sb,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ocfs2_clusterinfo_valid(osb)) {
|
||||||
|
+ /*
|
||||||
|
+ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null
|
||||||
|
+ * terminated, so make sure no overflow happens here by using
|
||||||
|
+ * memcpy. Destination strings will always be null terminated
|
||||||
|
+ * because osb is allocated using kzalloc.
|
||||||
|
+ */
|
||||||
|
osb->osb_stackflags =
|
||||||
|
OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
|
||||||
|
- strlcpy(osb->osb_cluster_stack,
|
||||||
|
+ memcpy(osb->osb_cluster_stack,
|
||||||
|
OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
|
||||||
|
- OCFS2_STACK_LABEL_LEN + 1);
|
||||||
|
+ OCFS2_STACK_LABEL_LEN);
|
||||||
|
if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
|
||||||
|
mlog(ML_ERROR,
|
||||||
|
"couldn't mount because of an invalid "
|
||||||
|
@@ -2184,9 +2190,9 @@ static int ocfs2_initialize_super(struct super_block *sb,
|
||||||
|
status = -EINVAL;
|
||||||
|
goto bail;
|
||||||
|
}
|
||||||
|
- strlcpy(osb->osb_cluster_name,
|
||||||
|
+ memcpy(osb->osb_cluster_name,
|
||||||
|
OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
|
||||||
|
- OCFS2_CLUSTER_NAME_LEN + 1);
|
||||||
|
+ OCFS2_CLUSTER_NAME_LEN);
|
||||||
|
} else {
|
||||||
|
/* The empty string is identical with classic tools that
|
||||||
|
* don't know about s_cluster_info. */
|
||||||
Loading…
Reference in New Issue
Block a user