LU-16342 mdt: not copy pool_name to quotactl in reply

Don not copy pool_name in mdt reply to avoid out-of-bounds:
BUG: KASAN: slab-out-of-bounds in mdt_quotactl+0x13ff/0x1430 [mdt]

HPE-bug-id: LUS-10579
Change-Id: I34c4cd8aaccd938c95005dca06644e02132def34
Signed-off-by: Sergey Cheremencev <sergey.cheremencev@hpe.com>
Reviewed-on: https://es-gerrit.dev.cray.com/160899
Reviewed-by: Andrew Perepechko <andrew.perepechko@hpe.com>
Reviewed-by: Andriy Skulysh <c17819@cray.com>
Tested-by: Vitaly Fertman <c17818@cray.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/49242
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff@hpe.com>

diff --git a/lustre/include/uapi/linux/lustre/lustre_idl.h b/lustre/include/uapi/linux/lustre/lustre_idl.h
index bc93164..78669e1 100644 (file)
--- a/lustre/include/uapi/linux/lustre/lustre_idl.h
+++ b/lustre/include/uapi/linux/lustre/lustre_idl.h
@@ -1502,7 +1502,7 @@ struct obd_quotactl {
 
 #define Q_COPY(out, in, member) (out)->member = (in)->member
 
-#define QCTL_COPY(out, in)                             \
+#define __QCTL_COPY(out, in, need_pname)               \
 do {                                                   \
        Q_COPY(out, in, qc_cmd);                        \
        Q_COPY(out, in, qc_type);                       \
@@ -1510,12 +1510,15 @@ do {                                                    \
        Q_COPY(out, in, qc_stat);                       \
        Q_COPY(out, in, qc_dqinfo);                     \
        Q_COPY(out, in, qc_dqblk);                      \
-       if (LUSTRE_Q_CMD_IS_POOL(in->qc_cmd))           \
+       if (need_pname && LUSTRE_Q_CMD_IS_POOL(in->qc_cmd))             \
                memcpy(out->qc_poolname,                \
                       in->qc_poolname,                 \
                       LOV_MAXPOOLNAME + 1);            \
 } while (0)
 
+#define QCTL_COPY(out, in) __QCTL_COPY(out, in, true)
+#define QCTL_COPY_NO_PNAME(out, in) __QCTL_COPY(out, in, false)
+
 /* Body of quota request used for quota acquire/release RPCs between quota
  * master (aka QMT) and slaves (ak QSD). */
 struct quota_body {

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 0a413ed..91a3954 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -3321,7 +3321,7 @@ static int mdt_quotactl(struct tgt_session_info *tsi)
        if (oqctl->qc_id != id)
                swap(oqctl->qc_id, id);
 
-       QCTL_COPY(repoqc, oqctl);
+       QCTL_COPY_NO_PNAME(repoqc, oqctl);
        EXIT;
 
 out_nodemap: