Re: [PATCH] orangefs: fix a oob in orangefs_debug_write

From: Mike Marshall
Date: Tue Dec 31 2024 - 19:10:47 EST

Next message: Hardik Garg: "Re: [PATCH 6.12] 6.12.8-rc1 review"
Previous message: Ron Economos: "Re: [PATCH 6.1 00/60] 6.1.123-rc1 review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I used Al's suggestion on top of 6.13.0-rc5 and ran
it through xfstests with no problem. Since I doubt xfstests
runs down this code path I also did some other tests.

I made some files with comma separated debug settings and
catted them onto /sys/kernel/debug/orangefs/kernel-debug.

When I caused the file to be longer than
ORANGEFS_MAX_DEBUG_STRING_LEN
I could see that execution flowed down the
code path with Al's suggested changes, and
the proper thing happened.

Anywho... I'll send this up in the merge window unless
someone else (Edward?) plans to...

-Mike

On Sun, Dec 22, 2024 at 5:35 AM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> On Sun, Dec 22, 2024 at 04:14:13PM +0800, Edward Adam Davis wrote:
> > syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]
> >
> > The string passed in from userspace is not terminated with a NULL character,
> > which causes strlen to go out of bounds.
> >
> > Use kstrndup to replace kstrdup.
>
> Better to replace
> if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
> silly = count;
> count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
> }
> with
> if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
> silly = count;
> count = ORANGEFS_MAX_DEBUG_STRING_LEN;
> }
> instead, so that we wouldn't have to deal with lack of NUL anywhere.

Next message: Hardik Garg: "Re: [PATCH 6.12] 6.12.8-rc1 review"
Previous message: Ron Economos: "Re: [PATCH 6.1 00/60] 6.1.123-rc1 review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]