From 7b90925dcdd96e2e8a0c25a5d04803d22eb2e80f Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Wed, 6 Dec 2023 09:15:18 +0100
Subject: [PATCH] LU-17336 gss: fix __user pointer in rsi_upcall_seq_write

rsi_upcall_seq_write() uses sscanf to get the string passed from
userspace, but this needs to be copied to a kernel buffer first.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I2ec875b7c6c158695857fe912ec1dd9f41ddc25d
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53342
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/ptlrpc/gss/lproc_gss.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lustre/ptlrpc/gss/lproc_gss.c b/lustre/ptlrpc/gss/lproc_gss.c
index 6d8eaf3..e1fa748 100644
--- a/lustre/ptlrpc/gss/lproc_gss.c
+++ b/lustre/ptlrpc/gss/lproc_gss.c
@@ -195,6 +195,7 @@ static ssize_t rsi_upcall_seq_write(struct file *file,
 				    const char __user *buffer,
 				    size_t count, loff_t *off)
 {
+	char *kbuf = NULL;
 	int rc;
 
 	if (count >= UC_CACHE_UPCALL_MAXPATH) {
@@ -202,19 +203,30 @@ static ssize_t rsi_upcall_seq_write(struct file *file,
 		return -EINVAL;
 	}
 
+	OBD_ALLOC(kbuf, count + 1);
+	if (kbuf == NULL)
+		return -ENOMEM;
+
+	if (copy_from_user(kbuf, buffer, count))
+		GOTO(out, rc = -EFAULT);
+
+	kbuf[count] = '\0';
+
 	/* Remove any extraneous bits from the upcall (e.g. linefeeds) */
 	down_write(&rsicache->uc_upcall_rwsem);
-	rc = sscanf(buffer, "%s", rsicache->uc_upcall);
+	rc = sscanf(kbuf, "%s", rsicache->uc_upcall);
 	up_write(&rsicache->uc_upcall_rwsem);
 
 	if (rc != 1) {
 		CERROR("%s: invalid rsi upcall provided\n", rsicache->uc_name);
-		return -EINVAL;
+		GOTO(out, rc = -EINVAL);
 	}
 
 	CDEBUG(D_CONFIG, "%s: rsi upcall set to %s\n", rsicache->uc_name,
 	       rsicache->uc_upcall);
 
+out:
+	OBD_FREE(kbuf, count + 1);
 	return count;
 }
 LPROC_SEQ_FOPS(rsi_upcall);
-- 
1.8.3.1