xfs
[Top] [All Lists]

Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c

To: Rich Johnston <rjohnston@xxxxxxx>, Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c
From: Ben Myers <bpm@xxxxxxx>
Date: Fri, 23 Aug 2013 11:38:28 -0500
Cc: Chandra Seetharaman <sekharan@xxxxxxxxxx>, xfsprogs <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <5214EFFF.4060105@xxxxxxx>
References: <1376287861.2822.13.camel@ThinkPad-T5421> <5214EFFF.4060105@xxxxxxx>
User-agent: Mutt/1.5.20 (2009-06-14)
Hey Rich and Li Zhong,

On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> Looks good, thanks for the patch Li Zhong. it has been committed.
> 
> --Rich
> 
> Reviewed-by: Rich Johnston <rjohnston@xxxxxxx>
> 
> commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> Author: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> Date:   Mon Aug 12 06:11:01 2013 +0000
> 
>     xfsprogs: fix Out-of-bounds access in repair/dinode.c
> 
> On 08/12/2013 01:11 AM, Li Zhong wrote:
> >Following is reported by coverity in bug 1061528:
> >
> >187                        __dirty_no_modify_ret(dirty);
> >
> >CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: 
> >Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function 
> >which accesses it at byte offset 15 using argument "16UL".
> >188                        memset(dinoc->di_pad, 0, 16);
> >
> >It seems that di_pad here should be di_pad2, as sekharan pointed out.
> >
> >Signed-off-by: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> >---
> >  repair/dinode.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/repair/dinode.c b/repair/dinode.c
> >index e607f0b..94bf2f8 100644
> >--- a/repair/dinode.c
> >+++ b/repair/dinode.c
> >@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t 
> >*dinoc, xfs_ino_t ino_num)
> >     }
> >
> >     for (i = 0; i < 16; i++) {
> >-            if (dinoc->di_pad[i] != 0) {
> >+            if (dinoc->di_pad2[i] != 0) {
> >                     __dirty_no_modify_ret(dirty);
> >-                    memset(dinoc->di_pad, 0, 16);
> >+                    memset(dinoc->di_pad2, 0, 16);
> >                     break;
> >             }
> >     }

We also discussed this issue a bit in this thread:
http://oss.sgi.com/archives/xfs/2013-08/msg00228.html

Looks like the loop itself is incorrect and should be removed, and Eric has
suggested that the conditional be changed to a memcmp in case the size of the
pad changes in the future.  Would either of you care to spin up another patch
to clean it up?

Thanks,
        Ben

<Prev in Thread] Current Thread [Next in Thread>