[PATCH v3] qnx4: fix use-after-free caused by strlen

[PATCH v3] qnx4: fix use-after-free caused by strlen

[Tong Zhang]

If di_fname is not terminated by '\0', it can cause buffer overrun and
trigger a user-after-free bug. This can happen in some corrupted or
 malicious qnx4 image. Use strnlen to prevent buffer overrun.

[  513.248784] qnx4_readdir: bread failed (3718095557)
[  513.251109] BUG: KASAN: use-after-free in strlen+0x1f/0x40
[  513.251268] Read of size 1 at addr ffff888002700000 by task find/230
[  513.252069] Call Trace:
[  513.252869]  ? strlen+0x1f/0x40
[  513.253237]  strlen+0x1f/0x40
[  513.253329]  qnx4_lookup+0xab/0x220
[  513.253431]  __lookup_slow+0x103/0x220

Co-Developed-by: Anders Larsen <al@alarsen.net>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Signed-off-by: Anders Larsen <al@alarsen.net>
---
v2: The name can grow longer than QNX4_SHORT_NAME_MAX if de is a
QNX4_FILE_LINK type and de should points to a qnx4_link_info struct, so
this is safe.  We also remove redundant checks in this version.
v3: make commit log short and resend

 fs/qnx4/namei.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
index 8d72221735d7..2bcbbd7c772e 100644
--- a/fs/qnx4/namei.c
+++ b/fs/qnx4/namei.c
@@ -40,9 +40,7 @@ static int qnx4_match(int len, const char *name,
 	} else {
 		namelen = QNX4_SHORT_NAME_MAX;
 	}
-	thislen = strlen( de->di_fname );
-	if ( thislen > namelen )
-		thislen = namelen;
+	thislen = strnlen( de->di_fname, namelen );
 	if (len != thislen) {
 		return 0;
 	}
-- 
2.25.1