xfs
[Top] [All Lists]

Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c

To: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c
From: Ben Myers <bpm@xxxxxxx>
Date: Mon, 26 Aug 2013 11:51:23 -0500
Cc: Rich Johnston <rjohnston@xxxxxxx>, Chandra Seetharaman <sekharan@xxxxxxxxxx>, xfsprogs <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <1377483327.2834.7.camel@ThinkPad-T5421>
References: <1376287861.2822.13.camel@ThinkPad-T5421> <5214EFFF.4060105@xxxxxxx> <20130823163828.GS5262@xxxxxxx> <1377483327.2834.7.camel@ThinkPad-T5421>
User-agent: Mutt/1.5.20 (2009-06-14)
Hey Zhong,

On Mon, Aug 26, 2013 at 10:15:27AM +0800, Li Zhong wrote:
> On Fri, 2013-08-23 at 11:38 -0500, Ben Myers wrote:
> > Hey Rich and Li Zhong,
> > 
> > On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> > > Looks good, thanks for the patch Li Zhong. it has been committed.
> > > 
> > > --Rich
> > > 
> > > Reviewed-by: Rich Johnston <rjohnston@xxxxxxx>
> > > 
> > > commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> > > Author: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> > > Date:   Mon Aug 12 06:11:01 2013 +0000
> > > 
> > >     xfsprogs: fix Out-of-bounds access in repair/dinode.c
> > > 
> > > On 08/12/2013 01:11 AM, Li Zhong wrote:
> > > >Following is reported by coverity in bug 1061528:
> > > >
> > > >187                        __dirty_no_modify_ret(dirty);
> > > >
> > > >CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. 
> > > >overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by 
> > > >passing it to a function which accesses it at byte offset 15 using 
> > > >argument "16UL".
> > > >188                        memset(dinoc->di_pad, 0, 16);
> > > >
> > > >It seems that di_pad here should be di_pad2, as sekharan pointed out.
> > > >
> > > >Signed-off-by: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> > > >---
> > > >  repair/dinode.c | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > >diff --git a/repair/dinode.c b/repair/dinode.c
> > > >index e607f0b..94bf2f8 100644
> > > >--- a/repair/dinode.c
> > > >+++ b/repair/dinode.c
> > > >@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t 
> > > >*dinoc, xfs_ino_t ino_num)
> > > >         }
> > > >
> > > >         for (i = 0; i < 16; i++) {
> > > >-                if (dinoc->di_pad[i] != 0) {
> > > >+                if (dinoc->di_pad2[i] != 0) {
> > > >                         __dirty_no_modify_ret(dirty);
> > > >-                        memset(dinoc->di_pad, 0, 16);
> > > >+                        memset(dinoc->di_pad2, 0, 16);
> > > >                         break;
> > > >                 }
> > > >         }
> > 
> > We also discussed this issue a bit in this thread:
> > http://oss.sgi.com/archives/xfs/2013-08/msg00228.html
> > 
> > Looks like the loop itself is incorrect and should be removed, and Eric has
> > suggested that the conditional be changed to a memcmp in case the size of 
> > the
> > pad changes in the future.  Would either of you care to spin up another 
> > patch
> > to clean it up?
> 
> Hi Ben, 
> 
> If I understand correctly, we need to change 16 to be a sizeof the
> di_pad2 array(like the fix attached below)? 
> 
> It seems to me that the loop is needed to check all of the 16 entries in
> the array? 

You are correct.  We need the loop...

> Thanks, Zhong
> 
> ---
> diff --git a/repair/dinode.c b/repair/dinode.c
> index b2b9a95..7469fc8 100644
> --- a/repair/dinode.c
> +++ b/repair/dinode.c
> @@ -182,10 +182,10 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t 
> *dinoc, xfs_ino_t ino_num)
>               platform_uuid_copy(&dinoc->di_uuid, &mp->m_sb.sb_uuid);
>       }
>  
> -     for (i = 0; i < 16; i++) {
> +     for (i = 0; i < sizeof(dinoc->di_pad2)/sizeof(dinoc->di_pad2[0]); i++) {

Just sizeof(dinoc->di_pad2) would be enough here, right?  No need for the
division I think.

>               if (dinoc->di_pad2[i] != 0) {
>                       __dirty_no_modify_ret(dirty);
> -                     memset(dinoc->di_pad2, 0, 16);
> +                     memset(dinoc->di_pad2, 0, sizeof(dinoc->di_pad2));
                                                  ^^^^^^^^^^^^^^^^^^^^^^

That guy will return 16, so we'll memset off the end of di_pad2.
sizeof(dinoc->di_pad2[0]) would work.

Thanks!
-Ben

<Prev in Thread] Current Thread [Next in Thread>