LU-12580 lov: fix out of bound usercopy

When handling ioctl LL_IOC_LOV_GETSTRIPE, the user
could pass a limited buffer which is bigger than
lov_comp_md_size(), it will crash the client because
we are doing the usercopy with the user provided buffer
size.

Make sure the copy works, also for the PFL file,
we should only copy the chosen component.

Change-Id: I92bcf6d7b7f7a4387a9936a0b58332e50a88e542
Signed-off-by: Li Dongyang <dongyangli@ddn.com>
Reviewed-on: https://review.whamcloud.com/37469
Reviewed-by: Emoly Liu <emoly@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Bobi Jam <bobijam@hotmail.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/lov/lov_pack.c b/lustre/lov/lov_pack.c
index e657eed..60d530b 100644 (file)
--- a/lustre/lov/lov_pack.c
+++ b/lustre/lov/lov_pack.c
@@ -389,8 +389,8 @@ int lov_getstripe(const struct lu_env *env, struct lov_object *obj,
        struct lov_mds_md *lmmk, *lmm;
        struct lov_foreign_md *lfm;
        struct lov_user_md_v1 lum;
-       size_t lmmk_size;
-       ssize_t lmm_size, lum_size = 0;
+       size_t lmmk_size, lum_size = 0;
+       ssize_t lmm_size;
        static bool printed;
        int rc = 0;
 
@@ -488,10 +488,11 @@ int lov_getstripe(const struct lu_env *env, struct lov_object *obj,
                                i--;
                        comp_md = (struct lov_mds_md *)((char *)comp_v1 +
                                        comp_v1->lcm_entries[i].lcme_offset);
+                       lum_size = comp_v1->lcm_entries[i].lcme_size;
                }
 
                lmm = comp_md;
-               lmm_size = lum_size;
+               lmm_size = min(lum_size, lmmk_size);
        } else {
                lmm = lmmk;
                lmm_size = lmmk_size;