Re: [PATCH 1/2] ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Next message: Manikandan Muralidharan: "[PATCH v4 4/5] ARM: dts: microchip: add I3C controller"
Previous message: Manikandan Muralidharan: "[PATCH v4 2/5] clk: at91: sama7d65: add peripheral clock for I3C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joseph Qi

Date: Wed Mar 18 2026 - 01:54:59 EST

On 3/7/26 3:21 PM, Junrui Luo wrote:
> The qr_numregions field from a DLM_QUERY_REGION network message is used
> directly as loop bounds in dlm_match_regions() without checking against
> O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
> (32) entries, a crafted message with qr_numregions > 32 causes
> out-of-bounds reads past the qr_regions buffer.
>
> Add a bounds check for qr_numregions before entering the loops.
>
> Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>

> ---
> fs/ocfs2/dlm/dlmdomain.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
> index 70ca79e4bdc3..0a28cb5ded2a 100644
> --- a/fs/ocfs2/dlm/dlmdomain.c
> +++ b/fs/ocfs2/dlm/dlmdomain.c
> @@ -980,6 +980,14 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
> goto bail;
> }
>
> + if (qr->qr_numregions > O2NM_MAX_REGIONS) {
> + mlog(ML_ERROR, "Domain %s: Joining node %d has invalid "
> + "number of heartbeat regions %u\n",
> + qr->qr_domain, qr->qr_node, qr->qr_numregions);
> + status = -EINVAL;
> + goto bail;
> + }
> +
> r = remote;
> for (i = 0; i < qr->qr_numregions; ++i) {
> mlog(0, "Region %.*s\n", O2HB_MAX_REGION_NAME_LEN, r);
>