Commit 77a18455 authored Aug 12, 2024 by Mike Marshall Committed by Liu Shixin Aug 12, 2024

orangefs: fix out-of-bounds fsid access

stable inclusion
from stable-v5.10.222
commit 1617249e24bd04c8047956afb43feec4876d1715
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGPSE
CVE: CVE-2024-42143

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1617249e24bd04c8047956afb43feec4876d1715



--------------------------------

[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ]

Arnd Bergmann sent a patch to fsdevel, he says:

"orangefs_statfs() copies two consecutive fields of the superblock into
the statfs structure, which triggers a warning from the string fortification
helpers"

Jan Kara suggested an alternate way to do the patch to make it more readable.

I ran both ideas through xfstests and both seem fine. This patch
is based on Jan Kara's suggestion.

Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>

parent d405cb4e

fs/orangefs/super.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -200,7 +200,8 @@ static int orangefs_statfs(struct dentry dentry, struct kstatfs buf)
		(long)new_op->downcall.resp.statfs.files_avail);

		buf->f_type = sb->s_magic;
		memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
		buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id;
		buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id;
		buf->f_bsize = new_op->downcall.resp.statfs.block_size;
		buf->f_namelen = ORANGEFS_NAME_MAX;