Commit d633101f authored Mar 01, 2025 by Zichen Xie Committed by Li Lingfeng Mar 01, 2025

NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()

stable inclusion
from stable-v6.6.79
commit 19b3ca651b4b473878c73539febe477905041442
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC5M
CVE: CVE-2024-54456

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=19b3ca651b4b473878c73539febe477905041442



--------------------------------

[ Upstream commit 49fd4e34751e90e6df009b70cd0659dc839e7ca8 ]

name is char[64] where the size of clnt->cl_program->name remains
unknown. Invoking strcat() directly will also lead to potential buffer
overflow. Change them to strscpy() and strncat() to fix potential
issues.

Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 305d3014

fs/nfs/sysfs.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -280,9 +280,9 @@ void nfs_sysfs_link_rpc_client(struct nfs_server *server,
		char name[RPC_CLIENT_NAME_SIZE];
		int ret;

		strcpy(name, clnt->cl_program->name);
		strcat(name, uniq ? uniq : "");
		strcat(name, "_client");
		strscpy(name, clnt->cl_program->name, sizeof(name));
		strncat(name, uniq ? uniq : "", sizeof(name) - strlen(name) - 1);
		strncat(name, "_client", sizeof(name) - strlen(name) - 1);

		ret = sysfs_create_link_nowarn(&server->kobj,
		&clnt->cl_sysfs->kobject, name);