Commit 05c51a5c authored Mar 07, 2025 by Mike Marshall Committed by Yifan Qiao Mar 07, 2025

orangefs: fix a oob in orangefs_debug_write

mainline inclusion
from mainline-v6.14-rc1
commit f7c848431632598ff9bce57a659db6af60d75b39
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC4Q

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7c848431632598ff9bce57a659db6af60d75b39



--------------------------------

I got a syzbot report: slab-out-of-bounds Read in
orangefs_debug_write... several people suggested fixes,
I tested Al Viro's suggestion and made this patch.

Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Reported-by:  <syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com>
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent 13fe01ab

fs/orangefs/orangefs-debugfs.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
		* Thwart users who try to jamb a ridiculous number
		* of bytes into the debug file...
		*/
		if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
		if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
		silly = count;
		count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
		count = ORANGEFS_MAX_DEBUG_STRING_LEN;
		}

		buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);