xfs
[Top] [All Lists]

dm_get_dirattrs can write past end of user buffer

To: xfs@xxxxxxxxxxx
Subject: dm_get_dirattrs can write past end of user buffer
From: Kevin Jamieson <kevin@xxxxxxxxxxxxxxxxx>
Date: Sat, 31 Jan 2009 16:12:52 -0800
Reply-to: kevin@xxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.14 (Macintosh/20080421)
I have observed segfaults with an application that calls dm_get_dirattrs
with the latest DMAPI kernel built from SGI CVS.

The problem appears to be in dm_filldir:

        needed = dm_stat_size(namelen + 1);
        ...
        error = -xfs_dm_bulkattr_iget_one(cb->mp, ino, 0,
                statp, needed);
        ...
        /*
         * On return from bulkstat_one(), stap->_link points
         * at the end of the handle in the stat structure.
         */
        statp->dt_compname.vd_offset = statp->_link;
        statp->dt_compname.vd_length = namelen + 1;

xfs_dm_bulkattr_iget_one() sets statp->_link to needed, so the name ends
up getting written past the space reserved for the name, which can
exceed cb->spaceleft.

The below patch appears to fix the problem.


Index: fs/xfs/dmapi/xfs_dm.c
===================================================================
RCS file: /cvs/linux-2.6-xfs/fs/xfs/dmapi/xfs_dm.c,v
retrieving revision 1.81
diff -u -r1.81 xfs_dm.c
--- fs/xfs/dmapi/xfs_dm.c       28 Oct 2008 05:39:09 -0000      1.81
+++ fs/xfs/dmapi/xfs_dm.c       31 Jan 2009 23:08:07 -0000
@@ -1793,7 +1793,7 @@

        memset(statp, 0, dm_stat_size(MAXNAMLEN));
        error = -xfs_dm_bulkattr_iget_one(cb->mp, ino, 0,
-                       statp, needed);
+                       statp, DM_STAT_SIZE(*statp, 0));
        if (error)
                goto out_err;


<Prev in Thread] Current Thread [Next in Thread>