LU-17336 gss: fix __user pointer in rsi_upcall_seq_write

rsi_upcall_seq_write() uses sscanf to get the string passed from
userspace, but this needs to be copied to a kernel buffer first.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I2ec875b7c6c158695857fe912ec1dd9f41ddc25d
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53342
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/ptlrpc/gss/lproc_gss.c b/lustre/ptlrpc/gss/lproc_gss.c
index 6d8eaf3..e1fa748 100644 (file)
--- a/lustre/ptlrpc/gss/lproc_gss.c
+++ b/lustre/ptlrpc/gss/lproc_gss.c
@@ -195,6 +195,7 @@ static ssize_t rsi_upcall_seq_write(struct file *file,
                                    const char __user *buffer,
                                    size_t count, loff_t *off)
 {
+       char *kbuf = NULL;
        int rc;
 
        if (count >= UC_CACHE_UPCALL_MAXPATH) {
@@ -202,19 +203,30 @@ static ssize_t rsi_upcall_seq_write(struct file *file,
                return -EINVAL;
        }
 
+       OBD_ALLOC(kbuf, count + 1);
+       if (kbuf == NULL)
+               return -ENOMEM;
+
+       if (copy_from_user(kbuf, buffer, count))
+               GOTO(out, rc = -EFAULT);
+
+       kbuf[count] = '\0';
+
        /* Remove any extraneous bits from the upcall (e.g. linefeeds) */
        down_write(&rsicache->uc_upcall_rwsem);
-       rc = sscanf(buffer, "%s", rsicache->uc_upcall);
+       rc = sscanf(kbuf, "%s", rsicache->uc_upcall);
        up_write(&rsicache->uc_upcall_rwsem);
 
        if (rc != 1) {
                CERROR("%s: invalid rsi upcall provided\n", rsicache->uc_name);
-               return -EINVAL;
+               GOTO(out, rc = -EINVAL);
        }
 
        CDEBUG(D_CONFIG, "%s: rsi upcall set to %s\n", rsicache->uc_name,
               rsicache->uc_upcall);
 
+out:
+       OBD_FREE(kbuf, count + 1);
        return count;
 }
 LPROC_SEQ_FOPS(rsi_upcall);