From 7e5f927458544bd2681027bfc3df6136d059121f Mon Sep 17 00:00:00 2001
From: Sergey Cheremencev <sergey.cheremencev@hpe.com>
Date: Fri, 15 Jul 2022 13:06:43 +0300
Subject: [PATCH] LU-16342 mdt: not copy pool_name to quotactl in reply

Don not copy pool_name in mdt reply to avoid out-of-bounds:
BUG: KASAN: slab-out-of-bounds in mdt_quotactl+0x13ff/0x1430 [mdt]

HPE-bug-id: LUS-10579
Change-Id: I34c4cd8aaccd938c95005dca06644e02132def34
Signed-off-by: Sergey Cheremencev <sergey.cheremencev@hpe.com>
Reviewed-on: https://es-gerrit.dev.cray.com/160899
Reviewed-by: Andrew Perepechko <andrew.perepechko@hpe.com>
Reviewed-by: Andriy Skulysh <c17819@cray.com>
Tested-by: Vitaly Fertman <c17818@cray.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/49242
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff@hpe.com>
---
 lustre/include/uapi/linux/lustre/lustre_idl.h | 7 +++++--
 lustre/mdt/mdt_handler.c                      | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lustre/include/uapi/linux/lustre/lustre_idl.h b/lustre/include/uapi/linux/lustre/lustre_idl.h
index bc93164..78669e1 100644
--- a/lustre/include/uapi/linux/lustre/lustre_idl.h
+++ b/lustre/include/uapi/linux/lustre/lustre_idl.h
@@ -1502,7 +1502,7 @@ struct obd_quotactl {
 
 #define Q_COPY(out, in, member) (out)->member = (in)->member
 
-#define QCTL_COPY(out, in)				\
+#define __QCTL_COPY(out, in, need_pname)		\
 do {							\
 	Q_COPY(out, in, qc_cmd);			\
 	Q_COPY(out, in, qc_type);			\
@@ -1510,12 +1510,15 @@ do {							\
 	Q_COPY(out, in, qc_stat);			\
 	Q_COPY(out, in, qc_dqinfo);			\
 	Q_COPY(out, in, qc_dqblk);			\
-	if (LUSTRE_Q_CMD_IS_POOL(in->qc_cmd))		\
+	if (need_pname && LUSTRE_Q_CMD_IS_POOL(in->qc_cmd))		\
 		memcpy(out->qc_poolname,		\
 		       in->qc_poolname,			\
 		       LOV_MAXPOOLNAME + 1);		\
 } while (0)
 
+#define QCTL_COPY(out, in) __QCTL_COPY(out, in, true)
+#define QCTL_COPY_NO_PNAME(out, in) __QCTL_COPY(out, in, false)
+
 /* Body of quota request used for quota acquire/release RPCs between quota
  * master (aka QMT) and slaves (ak QSD). */
 struct quota_body {
diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 0a413ed..91a3954 100644
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -3321,7 +3321,7 @@ static int mdt_quotactl(struct tgt_session_info *tsi)
 	if (oqctl->qc_id != id)
 		swap(oqctl->qc_id, id);
 
-	QCTL_COPY(repoqc, oqctl);
+	QCTL_COPY_NO_PNAME(repoqc, oqctl);
 	EXIT;
 
 out_nodemap:
-- 
1.8.3.1