Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp309122ybi;
        Wed, 29 May 2019 21:59:27 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzg9aZVX3BFI9s+ubGQWNmUkLwrDtluE0j5TzOR2xbfAn/4dX84Ilh9uOMuzmsyr1iANQtC
X-Received: by 2002:a65:4b88:: with SMTP id t8mr2067911pgq.374.1559192367847;
        Wed, 29 May 2019 21:59:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559192367; cv=none;
        d=google.com; s=arc-20160816;
        b=WYZpYlsLtyv9e5Xb/JX8aIoFrNkMCgOJVaxyEHBymZYsHPLsazffrZnRja0svrc+8K
         1ScZY3jrnua79Jg5YKGgK3ClV6JXwJ8N7AoxHk60NvRJXkJJcQMnAY+AP0BusPfzu3+y
         8WZmfQ3OplMY3qu4afMyUzXy+C+1WYOf5a08y5MHbObnI+Was8uzc3rMv4iPKgYo9+e/
         /TC9qVsLf7HfcmMhRY5QUDvUefImmXK3+X89OXQsNIoUHNvmte/5MUnAOTz9TeMSENQJ
         c8Wp75+UZkTke0orkOeFrtWvsdRqKFtr/dr6jOW1YkEqSPNr0hxHkDoOZ46FtXUMhfXw
         YfqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=AhEp9a7BxPEiEirOl6TKGh2BDmulgTFQjeXtyK1kV5Y=;
        b=nrBs9CHSQWtGLXL0QkU5yMs7NGdDxvHo8fCwlMd27fHIHlWkjxnsSGR3phgmhT77hh
         mL3uZMs+3FV1aoE1mP1koiUXmLdHYRJ2A6rKMZhyQnPpu22myy4vzj4zUv350mmE8HjZ
         UkdWtgRwAvZDF84tGPrDUgRdBFPlCkesosATKwri92SDIQ4qf4m6PJvzOwQE48JhsKR2
         zd/MWeJqDcHNH/IQdQqb6zzAdsKGIVG8AbH4UqezA8gnRqOtnkJcHoHWvXwcZ2Woyrua
         68deRaVAkqYrTcjnv7MBl7e9KHaM2C04boXxdqBBVG0eXbY7lOAs+mQ+T/hhUQpodx0U
         FhjA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VLGPqo00;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a9si448165pls.109.2019.05.29.21.59.12;
        Wed, 29 May 2019 21:59:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VLGPqo00;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389209AbfE3E4b (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 30 May 2019 00:56:31 -0400
Received: from mail.kernel.org ([198.145.29.99]:46184 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727914AbfE3DKD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 May 2019 23:10:03 -0400
Received: from localhost (ip67-88-213-2.z213-88-67.customer.algx.net [67.88.213.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 00B07244AF;
        Thu, 30 May 2019 03:10:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1559185803;
        bh=RE8GP/AypUFDoLqbJz6sv5laRPxyjfqswOlola62AMw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=VLGPqo00Q6a5TjkEbqPnLOf6T2fc82yWxLDbFYM5/vCOPXLdbqfAK1p+ZyQuhpx5R
         5eJQ4gIQu2eJ4dkJQyQymplRv3g/klo8UYHhD2xyUehtvckaMJJV3rsDDV8eibxtdf
         EVljzGguySY0QsM4ElFlRpKx5jp/UBxgGuf7kM9Q=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, David Howells <dhowells@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.1 047/405] afs: Fix getting the afs.fid xattr
Date:   Wed, 29 May 2019 20:00:45 -0700
Message-Id: <20190530030543.203098952@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190530030540.291644921@linuxfoundation.org>
References: <20190530030540.291644921@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit a2f611a3dc317d8ea1c98ad6c54b911cf7f93193 ]

The AFS3 FID is three 32-bit unsigned numbers and is represented as three
up-to-8-hex-digit numbers separated by colons to the afs.fid xattr.
However, with the advent of support for YFS, the FID is now a 64-bit volume
number, a 96-bit vnode/inode number and a 32-bit uniquifier (as before).
Whilst the sprintf in afs_xattr_get_fid() has been partially updated (it
currently ignores the upper 32 bits of the 96-bit vnode number), the size
of the stack-based buffer has not been increased to match, thereby allowing
stack corruption to occur.

Fix this by increasing the buffer size appropriately and conditionally
including the upper part of the vnode number if it is non-zero.  The latter
requires the lower part to be zero-padded if the upper part is non-zero.

Fixes: 3b6492df4153 ("afs: Increase to 64-bit volume ID and 96-bit vnode ID for YFS")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/afs/xattr.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
index a2cdf25573e24..706801c6c4c4c 100644
--- a/fs/afs/xattr.c
+++ b/fs/afs/xattr.c
@@ -69,11 +69,20 @@ static int afs_xattr_get_fid(const struct xattr_handler *handler,
 			     void *buffer, size_t size)
 {
 	struct afs_vnode *vnode = AFS_FS_I(inode);
-	char text[8 + 1 + 8 + 1 + 8 + 1];
+	char text[16 + 1 + 24 + 1 + 8 + 1];
 	size_t len;
 
-	len = sprintf(text, "%llx:%llx:%x",
-		      vnode->fid.vid, vnode->fid.vnode, vnode->fid.unique);
+	/* The volume ID is 64-bit, the vnode ID is 96-bit and the
+	 * uniquifier is 32-bit.
+	 */
+	len = sprintf(text, "%llx:", vnode->fid.vid);
+	if (vnode->fid.vnode_hi)
+		len += sprintf(text + len, "%x%016llx",
+			       vnode->fid.vnode_hi, vnode->fid.vnode);
+	else
+		len += sprintf(text + len, "%llx", vnode->fid.vnode);
+	len += sprintf(text + len, ":%x", vnode->fid.unique);
+
 	if (size == 0)
 		return len;
 	if (len > size)
-- 
2.20.1