backport "ocfs2: mount fails with buffer overflow in strlen"

we've got good feedback from customers and the patch got two R-b's and no NAK or the like upstream: https://lore.kernel.org/all/20210929180654.32460-1-vvidic@valentin-vidic.from.hr/t/ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-18 14:04:10 +02:00 · 2021-10-18 14:04:10 +02:00 · 68145b3f84
commit 68145b3f84
parent fb9edd57ac
1 changed files with 68 additions and 0 deletions
--- a/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
+++ b/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Mon, 27 Sep 2021 17:44:59 +0200
+Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen
+
+Starting with kernel v5.11 mouting an ocfs2 filesystem with either o2cb
+or pcmk cluster stack fails with the trace below. Problem seems to be
+that strings for cluster stack and cluster name are not guaranteed to be
+null terminated in the disk representation, while strlcpy assumes that
+the source string is always null terminated. This causes a read outside
+of the source string triggering the buffer overflow detection.
+
+detected buffer overflow in strlen
+------------[ cut here ]------------
+kernel BUG at lib/string.c:1149!
+invalid opcode: 0000 [#1] SMP PTI
+CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
+  Debian 5.14.6-2
+RIP: 0010:fortify_panic+0xf/0x11
+...
+Call Trace:
+ ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
+ ocfs2_fill_super+0x359/0x19b0 [ocfs2]
+ mount_bdev+0x185/0x1b0
+ ? ocfs2_remount+0x440/0x440 [ocfs2]
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x454/0xa20
+ __x64_sys_mount+0x103/0x140
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ fs/ocfs2/super.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
+index c86bd4e60e20..1dea535224df 100644
+--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
+@@ -2169,9 +2169,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
+ 	if (ocfs2_clusterinfo_valid(osb)) {
+ 		osb->osb_stackflags =
+ 			OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
+-		strlcpy(osb->osb_cluster_stack,
+		memcpy(osb->osb_cluster_stack,
+ 		       OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
+-		       OCFS2_STACK_LABEL_LEN + 1);
+		       OCFS2_STACK_LABEL_LEN);
+		osb->osb_cluster_stack[OCFS2_STACK_LABEL_LEN] = '\0';
+ 		if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
+ 			mlog(ML_ERROR,
+ 			     "couldn't mount because of an invalid "
+@@ -2180,9 +2181,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
+ 			status = -EINVAL;
+ 			goto bail;
+ 		}
+-		strlcpy(osb->osb_cluster_name,
+		memcpy(osb->osb_cluster_name,
+ 			OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
+-			OCFS2_CLUSTER_NAME_LEN + 1);
+			OCFS2_CLUSTER_NAME_LEN);
+		osb->osb_cluster_name[OCFS2_CLUSTER_NAME_LEN] = '\0';
+ 	} else {
+ 		/* The empty string is identical with classic tools that
+ 		 * don't know about s_cluster_info. */