Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp689538pxb;
        Mon, 25 Oct 2021 16:42:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyefaZkRQFbmkNqT+SU0PijI8o84JjTRYb8z1dsjmN1gc7yDAnU2zBAd+eMRNDdr1nsYPFa
X-Received: by 2002:a50:d885:: with SMTP id p5mr31286070edj.255.1635205371094;
        Mon, 25 Oct 2021 16:42:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635205371; cv=none;
        d=google.com; s=arc-20160816;
        b=jELa3sMjGMzjsg5zmtWlvaWk6Cy66gS6UgrS/NMfcLNVDk0KiTUsVSMyNi20aYqUNw
         LRlHpfoEPaPxxn92H+A4vtNOsbhXQqhM/6vGytpoWIkr1Tm18syjTKMZE+Nbwi7/e1YS
         ZRNgg9l75qoLiYToZAQTN/lrguSvR64Z0pC7/7L4zCk9u0bXe86pm6PDNwdsJYC1qSPb
         QEmdA1Ez97j6K7zu26fJGudtn8eSwU6l1ICEAQXwoMKqhCr0KogrHRUNHuvgDqEGoOKu
         JjZE5O7E1Zd5Jov3cNZyCqOXykSlwb94YbDyUPPBUnZKnUewOtkiyaeK/HS3++Eq6z7I
         ei4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=BuZ8BjMX/D2kxD0myPRKYbgcgg+ocb+c6NLCkPq+WLQ=;
        b=Jx21PW002d2+lgrhAI3SjNEp53BjnR/hv2exwhwfzB/CFO09FAyftpuYZHHPXmz84W
         S4qgdqmI2FGVUr0WYKEu2X8Dxs5f74NJ7ZQeJB4eBxqMwJ+/1adO45XGjc/XU8fMxt8f
         WIHOVfcGUzOkvPAzHGH6lrXsOI7hnIcDRfCRRfgMdP4g1xxFMnxHU/HG2kKfqCj1nW8V
         K4WbbzwWaAKny+2JaQdV7jzoZVrPG/QJEI6d4S6RpRd0YyTSM3euTjUW1WRYSET3X4+B
         Kq1ZFN8L8JA7eGi0m8UpnnY4XgxdZEXN9ReYDojlTvo8BdElBsM0SZjfNc/wLu9dmMGy
         t6Xg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=D83ivoR6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e1si26087935ejy.755.2021.10.25.16.42.27;
        Mon, 25 Oct 2021 16:42:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=D83ivoR6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235345AbhJYTgr (ORCPT <rfc822;luxiaolong211@gmail.com>
        + 99 others); Mon, 25 Oct 2021 15:36:47 -0400
Received: from mail.kernel.org ([198.145.29.99]:48092 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S235867AbhJYT3v (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Oct 2021 15:29:51 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 5171D61076;
        Mon, 25 Oct 2021 19:26:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1635190020;
        bh=Vyjw8B7CPzpyYAr/Tfdc5MUjW9cAQQto4phhtHoy4Kg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=D83ivoR6nz5GOj0Qk5SQrwa97PGaVTWvSVKqqt04uXlkncpgDtGN7a8HkYFlgHpjV
         BWTE2P4GzDogMBGRT/GxFOl3PhXQ1dV0BpPzyTzGUW6pd6zcWi7aWSgVtFppXfPzBV
         jj2AF/tzHX49brjLQrZD3Oi8kl0fdWNpS68/g2E4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Valentin Vidic <vvidic@valentin-vidic.from.hr>,
        Joseph Qi <joseph.qi@linux.alibaba.com>,
        Mark Fasheh <mark@fasheh.com>,
        Joel Becker <jlbec@evilplan.org>,
        Junxiao Bi <junxiao.bi@oracle.com>,
        Changwei Ge <gechangwei@live.cn>, Gang He <ghe@suse.com>,
        Jun Piao <piaojun@huawei.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.4 28/58] ocfs2: mount fails with buffer overflow in strlen
Date:   Mon, 25 Oct 2021 21:14:45 +0200
Message-Id: <20211025190942.160115120@linuxfoundation.org>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <20211025190937.555108060@linuxfoundation.org>
References: <20211025190937.555108060@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Valentin Vidic <vvidic@valentin-vidic.from.hr>

commit b15fa9224e6e1239414525d8d556d824701849fc upstream.

Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an
ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the
trace below.  Problem seems to be that strings for cluster stack and
cluster name are not guaranteed to be null terminated in the disk
representation, while strlcpy assumes that the source string is always
null terminated.  This causes a read outside of the source string
triggering the buffer overflow detection.

  detected buffer overflow in strlen
  ------------[ cut here ]------------
  kernel BUG at lib/string.c:1149!
  invalid opcode: 0000 [#1] SMP PTI
  CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
    Debian 5.14.6-2
  RIP: 0010:fortify_panic+0xf/0x11
  ...
  Call Trace:
   ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
   ocfs2_fill_super+0x359/0x19b0 [ocfs2]
   mount_bdev+0x185/0x1b0
   legacy_get_tree+0x27/0x40
   vfs_get_tree+0x25/0xb0
   path_mount+0x454/0xa20
   __x64_sys_mount+0x103/0x140
   do_syscall_64+0x3b/0xc0
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr
Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ocfs2/super.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2150,11 +2150,17 @@ static int ocfs2_initialize_super(struct
 	}
 
 	if (ocfs2_clusterinfo_valid(osb)) {
+		/*
+		 * ci_stack and ci_cluster in ocfs2_cluster_info may not be null
+		 * terminated, so make sure no overflow happens here by using
+		 * memcpy. Destination strings will always be null terminated
+		 * because osb is allocated using kzalloc.
+		 */
 		osb->osb_stackflags =
 			OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
-		strlcpy(osb->osb_cluster_stack,
+		memcpy(osb->osb_cluster_stack,
 		       OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
-		       OCFS2_STACK_LABEL_LEN + 1);
+		       OCFS2_STACK_LABEL_LEN);
 		if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
 			mlog(ML_ERROR,
 			     "couldn't mount because of an invalid "
@@ -2163,9 +2169,9 @@ static int ocfs2_initialize_super(struct
 			status = -EINVAL;
 			goto bail;
 		}
-		strlcpy(osb->osb_cluster_name,
+		memcpy(osb->osb_cluster_name,
 			OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
-			OCFS2_CLUSTER_NAME_LEN + 1);
+			OCFS2_CLUSTER_NAME_LEN);
 	} else {
 		/* The empty string is identical with classic tools that
 		 * don't know about s_cluster_info. */