Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp339136pxb;
        Tue, 28 Sep 2021 23:53:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwFwKdqnfe2ZEeI62uwrpY8XDMJ7nj6f/FiQD0j5HyS7hjXAs/C1uaQ/untZccd3tULlWnc
X-Received: by 2002:a17:906:658:: with SMTP id t24mr11271677ejb.358.1632898400797;
        Tue, 28 Sep 2021 23:53:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1632898400; cv=none;
        d=google.com; s=arc-20160816;
        b=MoRbI1TzzYf8dRa6QzH+fazXkmoYCe5EAzGGuG5n8WHI/n+hSG2Pxfu34RdtInavye
         00ZN0tZuLtaL0JRIqixT/lgscTwic4dNITREvXruvE1NIaw3KIMtu5ZM1fZpQUXumFis
         KHGB8k/Auoe0baH47nZEgZTPLbXLOoJTacesImwDWr5+OEjF25goPYpaNQSuTUbksSqr
         Rz4joqc62NqJbTCHDPkg92AGwfAtOzcw07wocN7gO0KvAJVbl37PUQDvHIEyqLa6Jl3d
         nlyf9XLckokgXc9B/J67HujoBpVl+lFYlDGL3yuZNVwgCDnTKJvnw2UwjId9En9eesLz
         xUpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=87UG4M6PKxJVgFZNnssRSPeCI+Kk7GJBUEncdt5VozQ=;
        b=XZuO1/RHwf+dt+/3s/a1g1rQSZnsQlhZJ6ECSt1gp+8C3HXqvcsb6ZbH7Ut70OR1w6
         isWMgITHYFKf+QucpofL10ENqQAhU8YhuqNKzs/zmYPs4oP8BbQkAdeII7pDqE2kXw5C
         vzqpMXspEORUDPSk6XgUgQKe+I7viYZgZmD4aX0BIKqj9ydjiWL+pqTvZ2ld77oF9ObN
         yvjvQ6T1Z6WKluUtQ+FOrmixMvvzyWlUP1NnqDgx3FMCQJWYToQHOFwVQO7Ha3xu+uRr
         VCbfVnTYTnqScGmftotKDQ82voB+VOdRpX+bIrh5cRCoUX43uIlF12lpxepNAHx6jiKD
         ZrcA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@valentin-vidic.from.hr header.s=2020 header.b=NFFj8bZT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=valentin-vidic.from.hr
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m19si1601301ejd.372.2021.09.28.23.52.57;
        Tue, 28 Sep 2021 23:53:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@valentin-vidic.from.hr header.s=2020 header.b=NFFj8bZT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=valentin-vidic.from.hr
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244326AbhI2G0W (ORCPT <rfc822;loic.yhuel@gmail.com> + 99 others);
        Wed, 29 Sep 2021 02:26:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45022 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243959AbhI2G0V (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Sep 2021 02:26:21 -0400
Received: from valentin-vidic.from.hr (valentin-vidic.from.hr [IPv6:2001:470:1f0b:3b7::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98B6BC06161C
        for <linux-kernel@vger.kernel.org>; Tue, 28 Sep 2021 23:24:40 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at valentin-vidic.from.hr
Received: by valentin-vidic.from.hr (Postfix, from userid 1000)
        id E067570C2; Wed, 29 Sep 2021 08:24:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=valentin-vidic.from.hr; s=2020; t=1632896674;
        bh=87UG4M6PKxJVgFZNnssRSPeCI+Kk7GJBUEncdt5VozQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=NFFj8bZTJpdNPr+KV1fmxaFn7eD3ClGTU0VybVvo2qrbe2A9FxhpHNEzp0cohyjlE
         +1vVCDdumjr41UCEn4+BZfdf8joicdulOB6bc667joF8DQ+Hm4mKRyODDLP544rOCw
         HwR7EAbM7oxTL58OTjrT6f7olijxYysNynDGrbuZYGKWlfzqGCGzX7kQ2vqes3iBFA
         I7R2b1LToYCwzLBsBzqhss8tj0V7jK8pH2AEAw0jS8T2dqnyovFOiVgVhL1CFm3iHl
         WDYXs9tk67m6QlmrZRKm3q4Xhf1SRyswHyiNafwng2HOJ2el037+7Iarjbl95hs5qf
         VFM60ZcbLs1AneLaJ/PYK7EIrkuOjH5T4xByhe0XgjosRtxgGk6ito4217mKOk9yG6
         lHiWqenssePpIKGtrXapzt2gK7sQY6cOn/XMR2rIJS77WhQU52c5mkGtIN42skFGLm
         p51AGFTRGc7DnTRO6005OT398COP2LSZsTtobEfZkwA1Q27uWMuqF1WIr8mvotQEkF
         VNwUr5BuDxRvdO9e2Sysif8/8CxWON/cFbtNmuouPcNAIICjvEqBEU3EwuU9f5zCmb
         /TqXtK2Ks/ZFtcqk9aEhAEICbVr4iqglUx8HM9GdrCu+i9BuKE/uXzJ0wbnYVaCES9
         s+L0oxM4572o3G5TD7qjFi0Y=
Date:   Wed, 29 Sep 2021 08:24:34 +0200
From:   Valentin =?utf-8?B?VmlkacSH?= <vvidic@valentin-vidic.from.hr>
To:     Joseph Qi <joseph.qi@linux.alibaba.com>
Cc:     Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
        ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ocfs2: mount fails with buffer overflow in strlen
Message-ID: <20210929062434.GN28341@valentin-vidic.from.hr>
References: <20210927154459.15976-1-vvidic@valentin-vidic.from.hr>
 <00850aed-2027-a0ab-e801-c6498a5a49f8@linux.alibaba.com>
 <20210928131450.GM28341@valentin-vidic.from.hr>
 <212f878e-1bbe-347c-ba43-e4ffb9b4afbe@linux.alibaba.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <212f878e-1bbe-347c-ba43-e4ffb9b4afbe@linux.alibaba.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Sep 29, 2021 at 10:38:59AM +0800, Joseph Qi wrote:
> Okay, you are right, strlen(src) is indeed wrong here.
> 
> But please note that in strlcpy():
> size_t ret = strlen(src);
> if (size) {
> 	size_t len = (ret >= size) ? size - 1 : ret;
> 	memcpy(dest, src, len);
> 	dest[len] = '\0';
> }
> 
> Take ci_stack "o2cb" for example, strlen("o2cb") may return wrong if the
> coming byte is not null, say it is 10.
> The input size is 5, so len will finally be 4.
> So dest is still correct ending with null byte. No overflow happens.
> So the problem here is the wrong return value, but it is discarded in
> ocfs2_initialize_super().

strlcpy starts with a call to strlen(src) and this is where the read overflow
happens. If the kernel is compiled with CONFIG_FORTIFY_SOURCE this gets
executed instead (include/linux/fortify-string.h):

__FORTIFY_INLINE __kernel_size_t strlen(const char *p)
{
        __kernel_size_t ret;
        size_t p_size = __builtin_object_size(p, 1);

        /* Work around gcc excess stack consumption issue */
        if (p_size == (size_t)-1 ||
                (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0'))
                return __underlying_strlen(p);
        ret = strnlen(p, p_size);
        if (p_size <= ret)
                fortify_panic(__func__);
        return ret;
}

So while strlcpy did work before this fortify check, it is probably not the
best option anymore due to the missing null terminator in the source.

-- 
Valentin