Pei Li
unread,Jun 28, 2024, 11:31:28 PM (4 days ago) Jun 28Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Theodore Ts'o, Andreas Dilger, linux...@vger.kernel.org, linux-...@vger.kernel.org, sk...@linuxfoundation.org, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, syzbot+2cab87...@syzkaller.appspotmail.com, Pei Li
Specify the size of s_volume_name in strscpy_pad() to avoid buffer
overflow.
Reported-by:
syzbot+2cab87...@syzkaller.appspotmail.com
Closes:
https://syzkaller.appspot.com/bug?extid=2cab87506a0e7885f4b9
Signed-off-by: Pei Li <
peil...@gmail.com>
---
strscpy_pad() by default takes the size of destination string as the
size to be read from source string. However, as s_volume_name is only
declared as an array of size EXT4_LABEL_MAX, we are reading 1 byte more
than expected.
Specify the size of s_volume_name in strscpy_pad() to avoid buffer
overflow.
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index dab7acd49709..0c4fb579757a 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -1151,7 +1151,7 @@ static int ext4_ioctl_getlabel(struct ext4_sb_info *sbi, char __user *user_label
BUILD_BUG_ON(EXT4_LABEL_MAX >= FSLABEL_MAX);
lock_buffer(sbi->s_sbh);
- strscpy_pad(label, sbi->s_es->s_volume_name);
+ strscpy_pad(label, sbi->s_es->s_volume_name, EXT4_LABEL_MAX);
unlock_buffer(sbi->s_sbh);
if (copy_to_user(user_label, label, sizeof(label)))
---
base-commit: 55027e689933ba2e64f3d245fb1ff185b3e7fc81
change-id: 20240628-bug8-7f700a228c4a
Best regards,
--
Pei Li <
peil...@gmail.com>