lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon,  8 Apr 2024 09:50:43 +0200
From: Arnd Bergmann <arnd@...nel.org>
To: linux-fsdevel@...r.kernel.org,
	Mike Marshall <hubcap@...ibond.com>
Cc: Arnd Bergmann <arnd@...db.de>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>,
	Jan Kara <jack@...e.cz>,
	Martin Brandenburg <martin@...ibond.com>,
	devel@...ts.orangefs.org,
	Vlastimil Babka <vbabka@...e.cz>,
	Kees Cook <keescook@...omium.org>,
	Justin Stitt <justinstitt@...gle.com>,
	linux-kernel@...r.kernel.org
Subject: [PATCH] [RESEND] orangefs: fix out-of-bounds fsid access

From: Arnd Bergmann <arnd@...db.de>

orangefs_statfs() copies two consecutive fields of the superblock into
the statfs structure, which triggers a warning from the string fortification
helpers:

In file included from fs/orangefs/super.c:8:
include/linux/fortify-string.h:592:4: error: call to '__read_overflow2_field' declared with 'warning' attribute: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
                        __read_overflow2_field(q_size_field, size);

Change the memcpy() to an individual assignment of the two fields, which helps
both the compiler and human readers understand better what it does.

Link: https://lore.kernel.org/all/20230622101701.3399585-1-arnd@kernel.org/
Cc: Alexander Viro <viro@...iv.linux.org.uk>
Cc: Christian Brauner <brauner@...nel.org>
Cc: Jan Kara <jack@...e.cz>
Cc: linux-fsdevel@...r.kernel.org
Cc: Mike Marshall <hubcap@...ibond.com>
Cc: Martin Brandenburg <martin@...ibond.com>
Cc: devel@...ts.orangefs.org
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
Resending to VFS maintainers, I sent this a couple of times to the
orangefs maintainers but never got a reply
---
 fs/orangefs/super.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
index fb4d09c2f531..152478295766 100644
--- a/fs/orangefs/super.c
+++ b/fs/orangefs/super.c
@@ -201,7 +201,10 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf)
 		     (long)new_op->downcall.resp.statfs.files_avail);
 
 	buf->f_type = sb->s_magic;
-	memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
+	buf->f_fsid = (__kernel_fsid_t) {{
+		ORANGEFS_SB(sb)->fs_id,
+		ORANGEFS_SB(sb)->id,
+	}};
 	buf->f_bsize = new_op->downcall.resp.statfs.block_size;
 	buf->f_namelen = ORANGEFS_NAME_MAX;
 
-- 
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ