From d4dd52a3a1dea9e6117512889837e245fb983556 Mon Sep 17 00:00:00 2001 From: Li Dongyang Date: Fri, 7 Feb 2020 23:16:26 +1100 Subject: [PATCH] LU-12580 lov: fix out of bound usercopy When handling ioctl LL_IOC_LOV_GETSTRIPE, the user could pass a limited buffer which is bigger than lov_comp_md_size(), it will crash the client because we are doing the usercopy with the user provided buffer size. Make sure the copy works, also for the PFL file, we should only copy the chosen component. Lustre-change: https://review.whamcloud.com/37469 Lustre-commit: 2f1beb33144523467b596f4b6fab882b0a839187 Change-Id: I92bcf6d7b7f7a4387a9936a0b58332e50a88e542 Signed-off-by: Li Dongyang Reviewed-by: Emoly Liu Reviewed-by: Bobi Jam Signed-off-by: Minh Diep Reviewed-on: https://review.whamcloud.com/38051 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Oleg Drokin --- lustre/lov/lov_pack.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lustre/lov/lov_pack.c b/lustre/lov/lov_pack.c index da41b2c..b6138e1 100644 --- a/lustre/lov/lov_pack.c +++ b/lustre/lov/lov_pack.c @@ -362,8 +362,8 @@ int lov_getstripe(const struct lu_env *env, struct lov_object *obj, /* we use lov_user_md_v3 because it is larger than lov_user_md_v1 */ struct lov_mds_md *lmmk, *lmm; struct lov_user_md_v1 lum; - size_t lmmk_size; - ssize_t lmm_size, lum_size = 0; + size_t lmmk_size, lum_size = 0; + ssize_t lmm_size; static bool printed; int rc = 0; @@ -453,10 +453,11 @@ int lov_getstripe(const struct lu_env *env, struct lov_object *obj, i--; comp_md = (struct lov_mds_md *)((char *)comp_v1 + comp_v1->lcm_entries[i].lcme_offset); + lum_size = comp_v1->lcm_entries[i].lcme_size; } lmm = comp_md; - lmm_size = lum_size; + lmm_size = min(lum_size, lmmk_size); } else { lmm = lmmk; lmm_size = lmmk_size; -- 1.8.3.1