Whamcloud - gitweb
LU-12911 llite: Don't access lov_md fields before size check 89/36589/9
authorMr NeilBrown <neilb@suse.de>
Mon, 28 Oct 2019 01:24:26 +0000 (12:24 +1100)
committerOleg Drokin <green@whamcloud.com>
Fri, 14 Feb 2020 05:50:20 +0000 (05:50 +0000)
When 'struct lov_user_md' is passed in via setxattr, it comes with
a size.  If thatt size is too small, some function that check exactly
what version is present might access beyond the end of allocation
memory, which can have undesirable effects, such as triggering
a KASAN warning (and possibly worse).

So check that the size is sane before looking inside the structure
at all.

Signed-off-by: Mr NeilBrown <neilb@suse.de>
Change-Id: Ib3f071a3ff77a039fdfa38c903d87999108b3322
Reviewed-on: https://review.whamcloud.com/36589
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

index 0c50a59..829584d 100644 (file)
@@ -283,6 +283,12 @@ static int ll_setstripe_ea(struct dentry *dentry, struct lov_user_md *lump,
        if (!size && lump)
                lump = NULL;
+       if (size && size < sizeof(*lump)) {
+               /* ll_adjust_lum() or ll_lov_user_md_size() might access
+                * before size - just give up now.
+                */
+               return -ERANGE;
+       }
        rc = ll_adjust_lum(inode, lump);
        if (rc)
                return rc;