From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, frank zago <fzago@cray.com>,
"John L. Hammond" <john.hammond@intel.com>,
Jean-Baptiste Riaux <riaux.jb@intel.com>,
Oleg Drokin <oleg.drokin@intel.com>,
James Simmons <jsimmons@infradead.org>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.4 33/40] staging: lustre: hsm: stack overrun in hai_dump_data_field
Date: Mon, 6 Nov 2017 10:45:08 +0100 [thread overview]
Message-ID: <20171106094502.652522952@linuxfoundation.org> (raw)
In-Reply-To: <20171106094501.346859822@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: frank zago <fzago@cray.com>
[ Upstream commit 22aadb91c0a0055935109c175f5446abfb130702 ]
The function hai_dump_data_field will do a stack buffer
overrun when cat'ing /sys/fs/lustre/.../hsm/actions if an action has
some data in it.
hai_dump_data_field uses snprintf. But there is no check for
truncation, and the value returned by snprintf is used as-is. The
coordinator code calls hai_dump_data_field with 12 bytes in the
buffer. The 6th byte of data is printed incompletely to make room for
the terminating NUL. However snprintf still returns 2, so when
hai_dump_data_field writes the final NUL, it does it outside the
reserved buffer, in the 13th byte of the buffer. This stack buffer
overrun hangs my VM.
Fix by checking that there is enough room for the next 2 characters
plus the NUL terminator. Don't print half bytes. Change the format to
02X instead of .2X, which makes more sense.
Signed-off-by: frank zago <fzago@cray.com>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-8171
Reviewed-on: http://review.whamcloud.com/20338
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Jean-Baptiste Riaux <riaux.jb@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/lustre/lustre/include/lustre/lustre_user.h | 18 +++++--------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/drivers/staging/lustre/lustre/include/lustre/lustre_user.h
+++ b/drivers/staging/lustre/lustre/include/lustre/lustre_user.h
@@ -1063,23 +1063,21 @@ struct hsm_action_item {
* \retval buffer
*/
static inline char *hai_dump_data_field(struct hsm_action_item *hai,
- char *buffer, int len)
+ char *buffer, size_t len)
{
- int i, sz, data_len;
+ int i, data_len;
char *ptr;
ptr = buffer;
- sz = len;
data_len = hai->hai_len - sizeof(*hai);
- for (i = 0 ; (i < data_len) && (sz > 0) ; i++) {
- int cnt;
-
- cnt = snprintf(ptr, sz, "%.2X",
- (unsigned char)hai->hai_data[i]);
- ptr += cnt;
- sz -= cnt;
+ for (i = 0; (i < data_len) && (len > 2); i++) {
+ snprintf(ptr, 3, "%02X", (unsigned char)hai->hai_data[i]);
+ ptr += 2;
+ len -= 2;
}
+
*ptr = '\0';
+
return buffer;
}
next prev parent reply other threads:[~2017-11-06 9:48 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:44 [PATCH 4.4 00/40] 4.4.97-stable review Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 01/40] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 02/40] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 03/40] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 04/40] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 05/40] KEYS: fix out-of-bounds read during ASN.1 parsing Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 06/40] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 07/40] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-13 19:05 ` Ben Hutchings
2017-11-14 13:52 ` Catalin Marinas
2017-11-14 16:18 ` Mark Rutland
2017-11-19 10:29 ` Greg Kroah-Hartman
2017-11-20 11:26 ` Mark Rutland
2017-11-21 16:55 ` Greg Kroah-Hartman
2017-11-15 13:28 ` Ben Hutchings
2017-11-15 13:36 ` Ben Hutchings
2017-11-06 9:44 ` [PATCH 4.4 08/40] ARM: dts: mvebu: pl310-cache disable double-linefill Greg Kroah-Hartman
2017-11-07 23:06 ` Sebastian Gottschall
2017-11-08 8:44 ` Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 09/40] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 10/40] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 11/40] perf tools: Fix build failure on perl script context Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 12/40] drm/msm: Fix potential buffer overflow issue Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 13/40] drm/msm: fix an integer overflow test Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 14/40] tracing/samples: Fix creation and deletion of simple_thread_fn creation Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 15/40] Fix tracing sample code warning Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 16/40] PM / wakeirq: report a wakeup_event on dedicated wekup irq Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 17/40] mmc: s3cmci: include linux/interrupt.h for tasklet_struct Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 18/40] ARM: pxa: Dont rely on public mmc header to include leds.h Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 19/40] mfd: ab8500-sysctrl: Handle probe deferral Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 20/40] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 21/40] staging: rtl8712u: Fix endian settings for structs describing network packets Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 22/40] ext4: fix stripe-unaligned allocations Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 23/40] ext4: do not use stripe_width if it is not set Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 24/40] i2c: riic: correctly finish transfers Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 26/40] perf tools: Only increase index if perf_evsel__new_idx() succeeds Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 27/40] cx231xx: Fix I2C on Internal Master 3 Bus Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 28/40] drm/msm/dsi: Set msm_dsi->encoders before initializing bridge Greg Kroah-Hartman
2017-11-07 4:32 ` Archit Taneja
2017-11-07 10:35 ` Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 29/40] xen/manage: correct return value check on xenbus_scanf() Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 30/40] scsi: aacraid: Process Error for response I/O Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 31/40] platform/x86: intel_mid_thermal: Fix module autoload Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 32/40] staging: lustre: llite: dont invoke direct_IO for the EOF case Greg Kroah-Hartman
2017-11-06 9:45 ` Greg Kroah-Hartman [this message]
2017-11-06 9:45 ` [PATCH 4.4 34/40] staging: lustre: ptlrpc: skip lock if export failed Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 35/40] exynos4-is: fimc-is: Unmap region obtained by of_iomap() Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 36/40] mei: return error on notification request to a disconnected client Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 37/40] s390/dasd: check for device error pointer within state change interrupts Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 38/40] bt8xx: fix memory leak Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 39/40] xen: dont print error message in case of missing Xenstore entry Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 40/40] staging: r8712u: Fix Sparse warning in rtl871x_xmit.c Greg Kroah-Hartman
2017-11-06 21:17 ` [PATCH 4.4 00/40] 4.4.97-stable review Guenter Roeck
2017-11-06 23:26 ` Shuah Khan
2017-11-07 22:55 ` Tom Gall
2017-11-08 9:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106094502.652522952@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=fzago@cray.com \
--cc=john.hammond@intel.com \
--cc=jsimmons@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg.drokin@intel.com \
--cc=riaux.jb@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).