From: Al Viro <viro@zeniv.linux.org.uk> stable inclusion from stable-v6.12.42 commit bb80f7618832d26f7e395f52f82b1dac76223e5f category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/9111 CVE: CVE-2025-38660 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... ------------------ [ Upstream commit 101841c38346f4ca41dc1802c867da990ffb32eb ] ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that... Fixes: dd66df0053ef ("ceph: add support for encrypted snapshot names") Tested-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Quanmin Yan <yanquanmin1@huawei.com> --- fs/ceph/crypto.c | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c index 08c385610731..fa2aaf1d30f8 100644 --- a/fs/ceph/crypto.c +++ b/fs/ceph/crypto.c @@ -213,35 +213,31 @@ static struct inode *parse_longname(const struct inode *parent, { struct inode *dir = NULL; struct ceph_vino vino = { .snap = CEPH_NOSNAP }; - char *inode_number; - char *name_end; - int orig_len = *name_len; + char *name_end, *inode_number; int ret = -EIO; - + /* NUL-terminate */ + char *str __free(kfree) = kmemdup_nul(name, *name_len, GFP_KERNEL); + if (!str) + return ERR_PTR(-ENOMEM); /* Skip initial '_' */ - name++; - name_end = strrchr(name, '_'); + str++; + name_end = strrchr(str, '_'); if (!name_end) { - dout("Failed to parse long snapshot name: %s\n", name); + dout("Failed to parse long snapshot name: %s\n", str); return ERR_PTR(-EIO); } - *name_len = (name_end - name); + *name_len = (name_end - str); if (*name_len <= 0) { pr_err("Failed to parse long snapshot name\n"); return ERR_PTR(-EIO); } /* Get the inode number */ - inode_number = kmemdup_nul(name_end + 1, - orig_len - *name_len - 2, - GFP_KERNEL); - if (!inode_number) - return ERR_PTR(-ENOMEM); + inode_number = name_end + 1; ret = kstrtou64(inode_number, 10, &vino.ino); if (ret) { - dout("Failed to parse inode number: %s\n", name); - dir = ERR_PTR(ret); - goto out; + dout("Failed to parse inode number: %s\n", str); + return ERR_PTR(ret); } /* And finally the inode */ @@ -252,9 +248,6 @@ static struct inode *parse_longname(const struct inode *parent, if (IS_ERR(dir)) dout("Can't find inode %s (%s)\n", inode_number, name); } - -out: - kfree(inode_number); return dir; } -- 2.43.0