[LU-5476] Buffer overflow in ll_fid2path

Fri, 15 Aug 2014 17:27:16 +0000

Reported by Dan Carpenter against upstream client:

The patch d7e09d0397e8: "staging: add Lustre file system client
support" from May 2, 2013, leads to the following static checker
warning:

drivers/staging/lustre/lustre/llite/file.c:1730 ll_fid2path()
error: memcpy() 'gfout' too small

drivers/staging/lustre/lustre/llite/file.c
1719 if (copy_from_user(gfin, arg, sizeof(*gfin)))

{ 1720 OBD_FREE_PTR(gfin); 1721 return -EFAULT; 1722 }

1723
1724 outsize = sizeof(*gfout) + gfin->gf_pathlen;

outsize is an int.
gfin->gf_pathlen is a u32 which comes from the user.
The addition can overflow so outsize is less than sizeof(*gfout).

1725 OBD_ALLOC(gfout, outsize);
1726 if (gfout == NULL)

{ 1727 OBD_FREE_PTR(gfin); 1728 return -ENOMEM; 1729 }

1730 memcpy(gfout, gfin, sizeof(*gfout));

It would lead to memory corruption here. Probably we should add
something like:

if (gfin->gf_pathlen > PATH_MAX)
return -EINVAL;

Is that the right limit here?

1731 OBD_FREE_PTR(gfin);
1732
1733 /* Call mdc_iocontrol */
1734 rc = obd_iocontrol(OBD_IOC_FID2PATH, exp, outsize, gfout, NULL);

Whamcloud Community JIRA