Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1165451pxb; Wed, 29 Sep 2021 19:10:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw04rA7VLSJ3zJw0a3uyENPIusPpedAMNPtObVaIKbqlzU7SKf44BKJFg2McVnBtM7n/BVv X-Received: by 2002:a17:906:1f49:: with SMTP id d9mr3834820ejk.150.1632967844529; Wed, 29 Sep 2021 19:10:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632967844; cv=none; d=google.com; s=arc-20160816; b=k9qDJVpcTDrxjy+Nms38K6laDZsNZEvE5mdsAuzdY+8PyzWC8614Nhtcqc+es/T7+k siwb6iRnWtqaUgITfSyBiIaLvLM1+RpW+hPy5ZbE5c+3dVeCL+EEK2QYRNFbGrQ47btO C9WbW/EZ6adeS3hPRyXtcvs68l0nZQvAHYc8jt1M6oO5IAhvjVnSVXiYnBpEo492bIdT qNjGbymKoTxJMMsZR91jDr830d6xBzx1qZrF6OyO4LQjLbTNZraPi6JPfitggvNtl8q1 Q38sxHSN/scOHFVBHwDr14k+jniB3jQ7Tf2JIP68P98A4VmeLh4P75yrloxYG7R1F4E8 usig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=jZql74uqQorjlLZcQiuUePljVhcFWFUuKkGD/yxAS3o=; b=BNTiyf3pI2sTjVz8cbldcaRAW5tLzNbBWIV7r3I2fo8cIp/N/tDktr4/nGOaRZkRKo 8Jnm7lWMnKwq3SWccMh6t7I6anvZAJdIF1b4aFCzftozFg4DCzXvSo8JflCHxl6go+UM XIPPpXrWcxePvgx9xLGleqbwl+QUVHblzP0ArNK2SjwbNzIAkr8V9tvyq4ZsLfHBreu9 vfuAPRzj5itbkgt46eWJZyYBnmtmRy2/jqi/ceybQ+hlUB28W2tn5dQ7HMTr3v+8Uh5W hVbgBT5a93dvpPoy7NgyQIToCHiJ9hKQsaevQ5mq6vfF0+viDUVWzVeo+JBYhwQHmizO r/RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z7si1920353edp.58.2021.09.29.19.10.20; Wed, 29 Sep 2021 19:10:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347583AbhI3B4a (ORCPT + 99 others); Wed, 29 Sep 2021 21:56:30 -0400 Received: from out30-57.freemail.mail.aliyun.com ([115.124.30.57]:54944 "EHLO out30-57.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233941AbhI3B43 (ORCPT ); Wed, 29 Sep 2021 21:56:29 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R261e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04395;MF=joseph.qi@linux.alibaba.com;NM=1;PH=DS;RN=6;SR=0;TI=SMTPD_---0Uq41Vho_1632966885; Received: from B-D1K7ML85-0059.local(mailfrom:joseph.qi@linux.alibaba.com fp:SMTPD_---0Uq41Vho_1632966885) by smtp.aliyun-inc.com(127.0.0.1); Thu, 30 Sep 2021 09:54:46 +0800 Subject: Re: [PATCH v2] ocfs2: mount fails with buffer overflow in strlen To: Valentin Vidic , akpm Cc: Mark Fasheh , Joel Becker , ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org References: <1ab61ba3-8c9b-092c-7843-9c45b58e3987@linux.alibaba.com> <20210929180654.32460-1-vvidic@valentin-vidic.from.hr> From: Joseph Qi Message-ID: Date: Thu, 30 Sep 2021 09:54:45 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <20210929180654.32460-1-vvidic@valentin-vidic.from.hr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/30/21 2:06 AM, Valentin Vidic wrote: > Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an > ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the > trace below. Problem seems to be that strings for cluster stack and > cluster name are not guaranteed to be null terminated in the disk > representation, while strlcpy assumes that the source string is always > null terminated. This causes a read outside of the source string > triggering the buffer overflow detection. > > detected buffer overflow in strlen > ------------[ cut here ]------------ > kernel BUG at lib/string.c:1149! > invalid opcode: 0000 [#1] SMP PTI > CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 > Debian 5.14.6-2 > RIP: 0010:fortify_panic+0xf/0x11 > ... > Call Trace: > ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] > ocfs2_fill_super+0x359/0x19b0 [ocfs2] > mount_bdev+0x185/0x1b0 > ? ocfs2_remount+0x440/0x440 [ocfs2] > legacy_get_tree+0x27/0x40 > vfs_get_tree+0x25/0xb0 > path_mount+0x454/0xa20 > __x64_sys_mount+0x103/0x140 > do_syscall_64+0x3b/0xc0 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Signed-off-by: Valentin Vidic Reviewed-by: Joseph Qi > --- > v2: update description, add comment, drop null termination > > fs/ocfs2/super.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c > index c86bd4e60e20..5c914ce9b3ac 100644 > --- a/fs/ocfs2/super.c > +++ b/fs/ocfs2/super.c > @@ -2167,11 +2167,17 @@ static int ocfs2_initialize_super(struct super_block *sb, > } > > if (ocfs2_clusterinfo_valid(osb)) { > + /* > + * ci_stack and ci_cluster in ocfs2_cluster_info may not be null > + * terminated, so make sure no overflow happens here by using > + * memcpy. Destination strings will always be null terminated > + * because osb is allocated using kzalloc. > + */ > osb->osb_stackflags = > OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags; > - strlcpy(osb->osb_cluster_stack, > + memcpy(osb->osb_cluster_stack, > OCFS2_RAW_SB(di)->s_cluster_info.ci_stack, > - OCFS2_STACK_LABEL_LEN + 1); > + OCFS2_STACK_LABEL_LEN); > if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) { > mlog(ML_ERROR, > "couldn't mount because of an invalid " > @@ -2180,9 +2186,9 @@ static int ocfs2_initialize_super(struct super_block *sb, > status = -EINVAL; > goto bail; > } > - strlcpy(osb->osb_cluster_name, > + memcpy(osb->osb_cluster_name, > OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster, > - OCFS2_CLUSTER_NAME_LEN + 1); > + OCFS2_CLUSTER_NAME_LEN); > } else { > /* The empty string is identical with classic tools that > * don't know about s_cluster_info. */ >