You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49 lines
1.6 KiB
49 lines
1.6 KiB
From 7f960c3bd050e76f8bf0a8a0c8fbdcbaa565fc78 Mon Sep 17 00:00:00 2001
|
|
From: Blazej Kucman <blazej.kucman@intel.com>
|
|
Date: Fri, 22 Nov 2024 11:01:04 +0100
|
|
Subject: [PATCH 1/1] platform-intel: fix buffer overflow
|
|
|
|
mdadm -C /dev/md/imsm0 -e imsm -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
|
|
mdadm -C /dev/md/r0d2 -l 0 -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
|
|
*** buffer overflow detected ***: terminated
|
|
Aborted (core dumped)
|
|
|
|
Issue is related to D_FORTIFY_SOURCE=3 flag and depends on environment,
|
|
especially compiler version. In function active_arrays_by_format length of
|
|
path buffer is calculated dynamically based on parameters, while PATH_MAX
|
|
is used in snprintf, this is my lead to buffer overflow.
|
|
|
|
It is fixed by change dynamic length calculation, to use define PATH_MAX
|
|
for path length.
|
|
|
|
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
|
|
---
|
|
super-intel.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/super-intel.c b/super-intel.c
|
|
index 87026f5a0e80..9c464945d09c 100644
|
|
--- a/super-intel.c
|
|
+++ b/super-intel.c
|
|
@@ -7055,7 +7055,8 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
|
|
int fd = -1;
|
|
|
|
while (dev && !is_fd_valid(fd)) {
|
|
- char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1);
|
|
+ char path[PATH_MAX];
|
|
+
|
|
num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name);
|
|
if (num > 0)
|
|
fd = open(path, O_RDONLY, 0);
|
|
@@ -7063,7 +7064,6 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
|
|
pr_vrb("Cannot open %s: %s\n",
|
|
dev->name, strerror(errno));
|
|
}
|
|
- free(path);
|
|
dev = dev->next;
|
|
}
|
|
found = 0;
|
|
--
|
|
2.32.0 (Apple Git-132)
|
|
|