From: Pei Li <peili.dev@gmail.com>
To: Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
skhan@linuxfoundation.org, syzkaller-bugs@googlegroups.com,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+2cab87506a0e7885f4b9@syzkaller.appspotmail.com,
Pei Li <peili.dev@gmail.com>
Subject: [PATCH v2] Fix WARNING in __ext4_ioctl
Date: Tue, 02 Jul 2024 17:07:00 -0700 [thread overview]
Message-ID: <20240702-bug8-v2-1-be675f490db1@gmail.com> (raw)
Specify the size of s_volume_name in strscpy_pad() to avoid buffer
overflow.
strscpy_pad() by default takes the size of destination string as the
size to be read from source string. However, as s_volume_name is only
declared as an array of size EXT4_LABEL_MAX, we are reading 1 byte more
than expected.
Reported-by: syzbot+2cab87506a0e7885f4b9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2cab87506a0e7885f4b9
Fixes: 744a56389f73 ("ext4: replace deprecated strncpy with alternatives")
Signed-off-by: Pei Li <peili.dev@gmail.com>
---
strscpy_pad() by default takes the size of destination string as the
size to be read from source string. However, as s_volume_name is only
declared as an array of size EXT4_LABEL_MAX, we are reading 1 byte more
than expected.
Specify the size of s_volume_name in strscpy_pad() to avoid buffer
overflow.
---
Changes in v2:
- Add fixes label
- Move workaround into commit log
- Link to v1: https://lore.kernel.org/r/20240628-bug8-v1-1-417ef53cca33@gmail.com
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index dab7acd49709..0c4fb579757a 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -1151,7 +1151,7 @@ static int ext4_ioctl_getlabel(struct ext4_sb_info *sbi, char __user *user_label
BUILD_BUG_ON(EXT4_LABEL_MAX >= FSLABEL_MAX);
lock_buffer(sbi->s_sbh);
- strscpy_pad(label, sbi->s_es->s_volume_name);
+ strscpy_pad(label, sbi->s_es->s_volume_name, EXT4_LABEL_MAX);
unlock_buffer(sbi->s_sbh);
if (copy_to_user(user_label, label, sizeof(label)))
---
base-commit: 55027e689933ba2e64f3d245fb1ff185b3e7fc81
change-id: 20240628-bug8-7f700a228c4a
Best regards,
--
Pei Li <peili.dev@gmail.com>
next reply other threads:[~2024-07-03 0:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-03 0:07 Pei Li [this message]
2024-07-03 1:24 ` [PATCH v2] Fix WARNING in __ext4_ioctl Zhang Yi
2024-07-11 2:42 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240702-bug8-v2-1-be675f490db1@gmail.com \
--to=peili.dev@gmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+2cab87506a0e7885f4b9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.