[PATCH 1/2] ocfs2: bound namelen in dlm_migrate_request_handler

Next message: Bryam Vargas via B4 Relay: "[PATCH 0/2] ocfs2/dlm: bound peer-controlled lengths in the o2dlm receive path"
Previous message: Bryam Vargas via B4 Relay: "[PATCH 2/2] ocfs2: validate lengths in dlm_mig_lockres_handler"
In reply to: Bryam Vargas via B4 Relay: "[PATCH 2/2] ocfs2: validate lengths in dlm_mig_lockres_handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas via B4 Relay

Date: Mon Jun 29 2026 - 01:02:13 EST

From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

A node receiving a DLM_MIGRATE_REQUEST message trusts the peer-supplied
name length (migrate->namelen) without bounding it. dlm_init_mle() then
copies that many bytes into the fixed DLM_LOCKID_NAME_MAX-byte mname[]
array of an o2dlm_mle slab object, so a malformed message from a cluster
peer overflows the slab object by up to ~215 bytes: a heap out-of-bounds
write of attacker-controlled data, reachable by any node in the domain.

Reject an oversized name, the way dlm_master_request_handler() and the
other o2dlm receive handlers already do; the migration handler omits the
check entirely. Conforming messages are unaffected.

Fixes: 6714d8e86bf4 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
---
fs/ocfs2/dlm/dlmmaster.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c
index 93eff38fdadd..bd7623cc6e77 100644
--- a/fs/ocfs2/dlm/dlmmaster.c
+++ b/fs/ocfs2/dlm/dlmmaster.c
@@ -3100,6 +3100,12 @@ int dlm_migrate_request_handler(struct o2net_msg *msg, u32 len, void *data,

name = migrate->name;
namelen = migrate->namelen;
+ if (namelen > DLM_LOCKID_NAME_MAX) {
+ mlog(ML_ERROR, "%s: invalid name length %u in migrate request\n",
+ dlm->name, namelen);
+ ret = -EINVAL;
+ goto leave;
+ }
hash = dlm_lockid_hash(name, namelen);

/* preallocate.. if this fails, abort */

--
2.43.0