From patchwork Thu Apr 18 17:08:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1925128 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VL44F0NH4z1ymh for ; Fri, 19 Apr 2024 03:08:44 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rxVFR-00080M-IT; Thu, 18 Apr 2024 17:08:33 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rxVFM-0007zX-F1 for kernel-team@lists.ubuntu.com; Thu, 18 Apr 2024 17:08:28 +0000 Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 2D15A3F42A for ; Thu, 18 Apr 2024 17:08:28 +0000 (UTC) Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-69942c6d975so14107996d6.1 for ; Thu, 18 Apr 2024 10:08:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713460107; x=1714064907; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zR+PtEoOcyJvADgyaINt3a0vMuUtVi8xhORkx7MVgzY=; b=DiybSkY3mhadb7FeQDuBP7jjt6stJc5cLDhk6Zt+CMWtcxQ4DF48i9Ljjw0jwn9+iW gy04W4zWRRxMmu7rvxQtrvKL0D5s24bUJ8Ms3Z4Ouub0quUW9kmmaXpcnbF5blM564HO p79K91AMIK49UGD4S2tNNhh0jfQuYaUCQnvrIK1TfC3t5V8ByQpc9+3RQCqDu6g5YvXk vxU8oS9/IaX50q/6lezCixSqGqKKY3UqVp7d79EY6dGtOikrwIUs8RAwlQLrAN/GMrbB 5J9BrLQot5RPXR8rnCCI4hx3tSbgLg6hsa4ceQ9BVF9jpBILHHA8ShXhHZWMlMBCs8+u 8fUQ== X-Gm-Message-State: AOJu0Yzytsel3XSOPr3PxdayGFQfpQLm82eYmgzujX+JqhOZnNpSC7NR Ct9NOajdFEVPzualpeWuLIh+tRivIGjQJzobyy/cfmer1ZgvQ2DK+r6G0XAOd4kUZBrblAMTHUH y9VH2y2pGfDj1KfPhC4SufE+VkeBALHOQ1rvJQWV5wnEDlHmlHfRhTx44b16+sxXtYiz/DV5J8/ IZJZkuMqziAQmg X-Received: by 2002:a05:6214:f6f:b0:69b:1803:1bbc with SMTP id iy15-20020a0562140f6f00b0069b18031bbcmr4034710qvb.34.1713460107038; Thu, 18 Apr 2024 10:08:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEaFvqLYIQdE3zWThV5HK50bDJPQ1GKabPbryMfTIBtt7WqW85AODktCynh1N5BW3mXqMHDTA== X-Received: by 2002:a05:6214:f6f:b0:69b:1803:1bbc with SMTP id iy15-20020a0562140f6f00b0069b18031bbcmr4034685qvb.34.1713460106758; Thu, 18 Apr 2024 10:08:26 -0700 (PDT) Received: from smtp.gmail.com ([2001:67c:1562:8007::aac:48f9]) by smtp.gmail.com with ESMTPSA id b3-20020a0cc983000000b0069b588747dbsm789858qvk.132.2024.04.18.10.08.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 10:08:26 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/J][PATCH 1/1] afs: Increase buffer size in afs_update_volume_status() Date: Thu, 18 Apr 2024 12:08:23 -0500 Message-Id: <20240418170823.17674-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240418170823.17674-1-bethany.jamison@canonical.com> References: <20240418170823.17674-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniil Dulov [ Upstream commit 6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d ] The max length of volume->vid value is 20 characters. So increase idbuf[] size up to 24 to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. [DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()] Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: Daniil Dulov Signed-off-by: David Howells Link: https://lore.kernel.org/r/20240211150442.3416-1-d.dulov@aladdin.ru/ # v1 Link: https://lore.kernel.org/r/20240212083347.10742-1-d.dulov@aladdin.ru/ # v2 Link: https://lore.kernel.org/r/20240219143906.138346-3-dhowells@redhat.com Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 6e6065dd25b661420fac19c34282b6c626fcd35e linux-6.6.y) CVE-2024-26736 Signed-off-by: Bethany Jamison --- fs/afs/volume.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/afs/volume.c b/fs/afs/volume.c index 115c081a8e2ce..c028598a903c9 100644 --- a/fs/afs/volume.c +++ b/fs/afs/volume.c @@ -337,7 +337,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) { struct afs_server_list *new, *old, *discard; struct afs_vldb_entry *vldb; - char idbuf[16]; + char idbuf[24]; int ret, idsz; _enter(""); @@ -345,7 +345,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key) /* We look up an ID by passing it as a decimal string in the * operation's name parameter. */ - idsz = sprintf(idbuf, "%llu", volume->vid); + idsz = snprintf(idbuf, sizeof(idbuf), "%llu", volume->vid); vldb = afs_vl_lookup_vldb(volume->cell, key, idbuf, idsz); if (IS_ERR(vldb)) {