[22/45] lustre: llite: verify truncated xattr is handled

Message ID	1590444502-20533-23-git-send-email-jsimmons@infradead.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=/Zk1=7H=lists.lustre.org=lustre-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5A9AD2071A From: James Simmons <jsimmons@infradead.org> To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.de> Date: Mon, 25 May 2020 18:07:59 -0400 Message-Id: <1590444502-20533-23-git-send-email-jsimmons@infradead.org> In-Reply-To: <1590444502-20533-1-git-send-email-jsimmons@infradead.org> References: <1590444502-20533-1-git-send-email-jsimmons@infradead.org> Subject: [lustre-devel] [PATCH 22/45] lustre: llite: verify truncated xattr is handled Precedence: list Cc: Lustre Development List <lustre-devel@lists.lustre.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: lustre-devel-bounces@lists.lustre.org Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>
Series	lustre: merged OpenSFS client patches from April 30 to today \| expand [00/45] lustre: merged OpenSFS client patches from April 30 to today [01/45] lustre: fid: revert seq_client_rpc patch. [02/45] lustre: fld: convert cache_flush file to LPROC_SEQ_FOPS [03/45] lustre: cleanups and bug fixes [04/45] lnet: merge lnet_md_alloc into lnet_md_build. [05/45] lnet: always put a page list into struct lnet_libmd [06/45] lnet: discard kvec option from lnet_libmd. [07/45] lnet: remove msg_iov from lnet_msg. [08/45] lnet: o2iblnd: discard kiblnd_setup_rd_iov [09/45] lustre: ptlrpc: return proper write count from ping_store [10/45] lustre: sec: check permissions for changelogs access [11/45] lustre: uapi: add OBD_CONNECT2_FIDMAP [12/45] lustre: lov: lov_io_sub_init()) ASSERTION [13/45] lnet: Introduce constant for the lolnd NID [14/45] lustre: Remove inappropriate uses of BIT() macro. [15/45] lustre: mgc: protect from NULL exp in mgc_enqueue() [16/45] lustre: llite: do not flush COW pages from mapping [17/45] lustre: quota: quota pools for OSTs [18/45] lnet: libcfs: use BIT() macro where appropriate [19/45] lustre: llite: clean up pcc_layout_wait() [20/45] lustre: misc: declare static chars as const where possible. [21/45] lustre: llite: fix to make jobstats work for async ra [22/45] lustre: llite: verify truncated xattr is handled [23/45] lustre: obd: fix printing of client connection UUID [24/45] lnet: Add MD options for response tracking [25/45] lustre: Send file creation time to clients [26/45] lnet: stop using struct timeval [27/45] lustre: ptlrpc: connect to MDT stucks [28/45] lnet: restrict gateway selection [29/45] lustre: llite: restore ll_dcompare() [30/45] lustre: fallocate: Implement fallocate preallocate operation [31/45] lustre: llite: fix possible divide zero in ll_use_fast_io() [32/45] lustre: llog: allow delete of zero size llog [33/45] lustre: ldlm: use proper units for timeouts [34/45] lustre: dne: support directory restripe [35/45] lustre: osc: Do not wait for grants for too long [36/45] lnet: use kmem_cache_zalloc as appropriate. [37/45] lustre: osc: Ensure immediate departure of sync write pages [38/45] lnet: remove lnet_extract_iov() [39/45] lnet: simplify ksock_tx. [40/45] lnet: socklnd: discard tx_iov. [41/45] lustre: lmv: do not print MDTs that are inactive [42/45] lnet: use the same src nid for discovery [43/45] lustre: llite: check if page truncated in ll_write_begin() [44/45] lustre: dne: improve temp file name check [45/45] lustre: all: Cleanup LASSERTF uses missing newlines

Message ID

1590444502-20533-23-git-send-email-jsimmons@infradead.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5A9AD2071A
From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>,
 NeilBrown <neilb@suse.de>
Date: Mon, 25 May 2020 18:07:59 -0400
Message-Id: <1590444502-20533-23-git-send-email-jsimmons@infradead.org>
In-Reply-To: <1590444502-20533-1-git-send-email-jsimmons@infradead.org>
References: <1590444502-20533-1-git-send-email-jsimmons@infradead.org>
Subject: [lustre-devel] [PATCH 22/45] lustre: llite: verify truncated xattr
 is handled
Precedence: list
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: lustre-devel-bounces@lists.lustre.org
Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>

Series

lustre: merged OpenSFS client patches from April 30 to today | expand

Commit Message

James Simmons May 25, 2020, 10:07 p.m. UTC

From: Andreas Dilger <adilger@whamcloud.com>

Verify that a truncated trusted.lov xattr is handled properly,
for both plain and PFL layouts.

Add a test case that verifies this is fixed for both layout types.

Fixes: 814b53f76d ("lustre: llite: Don't access lov_md fields before size check")
WC-bug-id: https://jira.whamcloud.com/browse/LU-13168
Lustre-commit: cb74546354201 ("LU-13168 tests: verify truncated xattr is handled")
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/38434
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Emoly Liu <emoly@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
 fs/lustre/llite/xattr.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/fs/lustre/llite/xattr.c b/fs/lustre/llite/xattr.c
index 9e7ba21..119fb26 100644
--- a/fs/lustre/llite/xattr.c
+++ b/fs/lustre/llite/xattr.c
@@ -190,7 +190,8 @@  static int get_hsm_state(struct inode *inode, u32 *hus_states)
 	return rc;
 }
 
-static int ll_adjust_lum(struct inode *inode, struct lov_user_md *lump)
+static int ll_adjust_lum(struct inode *inode, struct lov_user_md *lump,
+			 size_t size)
 {
 	struct lov_comp_md_v1 *comp_v1 = (struct lov_comp_md_v1 *)lump;
 	struct lov_user_md *v1 = lump;
@@ -205,7 +206,12 @@  static int ll_adjust_lum(struct inode *inode, struct lov_user_md *lump)
 		return 0;
 
 	if (lump->lmm_magic == LOV_USER_MAGIC_COMP_V1) {
+		if (size < sizeof(*comp_v1))
+			return -ERANGE;
+
 		entry_count = comp_v1->lcm_entry_count;
+		if (size < offsetof(typeof(*comp_v1), lcm_entries[entry_count]))
+			return -ERANGE;
 		is_composite = true;
 	}
 
@@ -213,6 +219,10 @@  static int ll_adjust_lum(struct inode *inode, struct lov_user_md *lump)
 		if (lump->lmm_magic == LOV_USER_MAGIC_COMP_V1) {
 			void *ptr = comp_v1;
 
+			if (comp_v1->lcm_entries[i].lcme_offset + sizeof(*v1) >
+			    size)
+				return -ERANGE;
+
 			ptr += comp_v1->lcm_entries[i].lcme_offset;
 			v1 = (struct lov_user_md *)ptr;
 		}
@@ -265,7 +275,7 @@  static int ll_setstripe_ea(struct dentry *dentry, struct lov_user_md *lump,
 		return -ERANGE;
 	}
 
-	rc = ll_adjust_lum(inode, lump);
+	rc = ll_adjust_lum(inode, lump, size);
 	if (rc)
 		return rc;

[22/45] lustre: llite: verify truncated xattr is handled

Commit Message

Patch