* [PATCH] dlm: validate message length in receive_rcom_lookup and receive_rcom_names
@ 2026-03-13 22:27 Jenny Guanni Qu
0 siblings, 0 replies; only message in thread
From: Jenny Guanni Qu @ 2026-03-13 22:27 UTC (permalink / raw)
To: aahringo, teigland; +Cc: gfs2, klaudia, dawid, Jenny Guanni Qu
receive_rcom_lookup() and receive_rcom_names() compute a data length
by subtracting sizeof(struct dlm_rcom) from the network-supplied
h_length field. If h_length is smaller than sizeof(struct dlm_rcom),
the subtraction underflows to a negative int. This negative value is
then passed to functions that cast it to size_t, causing massive
out-of-bounds reads.
For example, h_length=16 gives len = 16 - 48 = -32, which when cast
to size_t becomes ~18 exabytes. The subsequent memcpy in
dlm_search_rsb_tree() triggers a slab-out-of-bounds read.
Add checks for negative len/inlen after the computation in both
functions.
The OOB read was confirmed with KASAN using a test module that
reproduces the signed integer underflow and subsequent memcpy pattern.
Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
---
fs/dlm/rcom.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c
index be1a71a6303a..406a100a5887 100644
--- a/fs/dlm/rcom.c
+++ b/fs/dlm/rcom.c
@@ -343,6 +343,8 @@ static void receive_rcom_names(struct dlm_ls *ls, const struct dlm_rcom *rc_in,
nodeid = le32_to_cpu(rc_in->rc_header.h_nodeid);
inlen = le16_to_cpu(rc_in->rc_header.h_length) -
sizeof(struct dlm_rcom);
+ if (inlen < 0)
+ return;
outlen = DLM_MAX_APP_BUFSIZE - sizeof(struct dlm_rcom);
error = create_rcom(ls, nodeid, DLM_RCOM_NAMES_REPLY, outlen,
@@ -385,6 +387,9 @@ static void receive_rcom_lookup(struct dlm_ls *ls,
int len = le16_to_cpu(rc_in->rc_header.h_length) -
sizeof(struct dlm_rcom);
+ if (len < 0)
+ return;
+
/* Old code would send this special id to trigger a debug dump. */
if (rc_in->rc_id == cpu_to_le64(0xFFFFFFFF)) {
log_error(ls, "receive_rcom_lookup dump from %d", nodeid);
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-13 22:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-13 22:27 [PATCH] dlm: validate message length in receive_rcom_lookup and receive_rcom_names Jenny Guanni Qu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox