staging/lustre/llite: prevent buffer overflow in fiemap

lov_fiemap() does not take consider its @vallen parameter, which is the max buffer size the caller can hold for the fiemap extents. This patch fixes this and limits the max mapped fiemap extent count to fit in the preallocted buffer. This patch also fixes a memory out of bound write issue when the fiemap call is only for detecting the number of existing extent. Signed-off-by: N Bobi Jam <bobijam.xu@intel.com> Reviewed-on: http://review.whamcloud.com/9834 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4619Reviewed-by: N Fan Yong <fan.yong@intel.com> Reviewed-by: N Patrick Farrell <paf@cray.com> Signed-off-by: N Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging/lustre/llite: prevent buffer overflow in fiemap
lov_fiemap() does not take consider its @vallen parameter, which is the max buffer size the caller can hold for the fiemap extents. This patch fixes this and limits the max mapped fiemap extent count to fit in the preallocted buffer. This patch also fixes a memory out of bound write issue when the fiemap call is only for detecting the number of existing extent. Signed-off-by: N Bobi Jam <bobijam.xu@intel.com> Reviewed-on: http://review.whamcloud.com/9834 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4619Reviewed-by: N Fan Yong <fan.yong@intel.com> Reviewed-by: N Patrick Farrell <paf@cray.com> Signed-off-by: N Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ebdc4fc5 · Bobi Jam · Greg Kroah-Hartman · a1e7e2d4 · ebdc4fc5 · ebdc4fc5
隐藏空白更改
内联并排

Showing with 11 addition and 7 deletion

drivers/staging/lustre/lustre/llite/file.c drivers/staging/lustre/lustre/llite/file.c +9 -6

drivers/staging/lustre/lustre/lov/lov_obd.c drivers/staging/lustre/lustre/lov/lov_obd.c +2 -1

未找到文件。
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1721,12 +1721,12 @@ int ll_release_openhandle(struct dentry *dentry, struct lookup_intent *it)
 * Make the FIEMAP get_info call and returns the result.
 */
 static int ll_do_fiemap(struct inode *inode, struct ll_user_fiemap *fiemap,
-			int num_bytes)
+			size_t num_bytes)
 {
 	struct obd_export *exp = ll_i2dtexp(inode);
 	struct lov_stripe_md *lsm = NULL;
 	struct ll_fiemap_info_key fm_key = { .name = KEY_FIEMAP, };
-	int vallen = num_bytes;
+	__u32 vallen = num_bytes;
 	int rc;
 	/* Checks for fiemap flags */
@@ -3080,15 +3080,18 @@ static int ll_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
 	fiemap->fm_extent_count = fieinfo->fi_extents_max;
 	fiemap->fm_start = start;
 	fiemap->fm_length = len;
-	memcpy(&fiemap->fm_extents[0], fieinfo->fi_extents_start,
+	if (extent_count > 0)
-	       sizeof(struct ll_fiemap_extent));
+		memcpy(&fiemap->fm_extents[0], fieinfo->fi_extents_start,
+		       sizeof(struct ll_fiemap_extent));
 	rc = ll_do_fiemap(inode, fiemap, num_bytes);
 	fieinfo->fi_flags = fiemap->fm_flags;
 	fieinfo->fi_extents_mapped = fiemap->fm_mapped_extents;
-	memcpy(fieinfo->fi_extents_start, &fiemap->fm_extents[0],
+	if (extent_count > 0)
-	       fiemap->fm_mapped_extents * sizeof(struct ll_fiemap_extent));
+		memcpy(fieinfo->fi_extents_start, &fiemap->fm_extents[0],
+		       fiemap->fm_mapped_extents *
+		       sizeof(struct ll_fiemap_extent));
 	OBD_FREE_LARGE(fiemap, num_bytes);
 	return rc;

--- a/drivers/staging/lustre/lustre/lov/lov_obd.c
+++ b/drivers/staging/lustre/lustre/lov/lov_obd.c
@@ -2248,11 +2248,12 @@ static int lov_fiemap(struct lov_obd *lov, __u32 keylen, void *key,
 	if (fm_end_offset == -EINVAL)
 		GOTO(out, rc = -EINVAL);
+	if (fiemap_count_to_size(fiemap->fm_extent_count) > *vallen)
+		fiemap->fm_extent_count = fiemap_size_to_count(*vallen);
 	if (fiemap->fm_extent_count == 0) {
 		get_num_extents = 1;
 		count_local = 0;
 	}
 	/* Check each stripe */
 	for (cur_stripe = start_stripe, i = 0; i < stripe_count;
 	     i++, cur_stripe = (cur_stripe + 1) % lsm->lsm_stripe_count) {