From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB26F16130C for ; Sun, 22 Dec 2024 10:35:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.89.141.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734863732; cv=none; b=eBpq9OVpwZRD1jiYQnYTN+hCmDAUmqUw0jrmHOykPifUMaQSsbhbxfmOR0bsYresCr5Bp5X+mm3p7kEoDLhY2DqNmby6uBAgCxsvG64QSyix2dym5K1FTCYpqe2mArGBtH+434XtICjhShtQ4jOdltRjrDBbtrkvqlkzI9jw3lY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734863732; c=relaxed/simple; bh=sHFQBdKSnQLJWYgEcezbKWd01UEYn5/iPVwr5joL4Wk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Ne17nLigybhzjgovHZZwFTm2obi6nW9gh9cf3rW8OUcnIDKVMLzxtaMyb6Cm8Y65GiCCIwK+MAjEw0WZRHhvxwRfFuH8q2RRGaFtNUKQO+uxN2kaVqHFXDqsX5vbZtgVqKqOMgwnKEP4vFshZQLHtA5lFCKGUzxLwWkQK6zOkj4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk; spf=none smtp.mailfrom=ftp.linux.org.uk; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b=DyZj/49C; arc=none smtp.client-ip=62.89.141.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ftp.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b="DyZj/49C" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=vhlDsHC2y1DsB33Ew1aFihc8KFhYHD2QJyhNO7hX8vI=; b=DyZj/49CTRU6A8FxD02/aqZemb CjEvIXmELErBfeDv3ikRcns8MAK9wK9mVhLoZZW+aDyg2DlryiaTO6thJjX+Lhm/k2ZBmV2KhJVNu p1fVs5Gt0z/3CZNpv/ADaFihEszN906g3YOURqoevBszDG8j4gOte4CS76oK+PRE95Qi78VtsTs02 NulsKZPu4Uq04KG3PcFc4hdBaQLK9+OwgyG55ozVbJ0pdyU7KKlF/jXbPvdBlzAPAAfCLyyeoSxtA vxo8alxCoVGEUyHNDgGbbiP4RZaBXMEkhLte4U9lNPLETh8gcpkgChZrfZ2lHanuvHO3YelTuMXzg 5H8dQCyg==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.98 #2 (Red Hat Linux)) id 1tPJIw-0000000AxDU-2gjy; Sun, 22 Dec 2024 10:35:22 +0000 Date: Sun, 22 Dec 2024 10:35:22 +0000 From: Al Viro To: Edward Adam Davis Cc: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com, devel@lists.orangefs.org, hubcap@omnibond.com, linux-kernel@vger.kernel.org, martin@omnibond.com, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] orangefs: fix a oob in orangefs_debug_write Message-ID: <20241222103522.GE1977892@ZenIV> References: <6767aabc.050a0220.25abdd.0136.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro On Sun, Dec 22, 2024 at 04:14:13PM +0800, Edward Adam Davis wrote: > syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1] > > The string passed in from userspace is not terminated with a NULL character, > which causes strlen to go out of bounds. > > Use kstrndup to replace kstrdup. Better to replace if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) { silly = count; count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1; } with if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) { silly = count; count = ORANGEFS_MAX_DEBUG_STRING_LEN; } instead, so that we wouldn't have to deal with lack of NUL anywhere.