[PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c
Ben Myers
bpm at sgi.com
Fri Aug 23 11:38:28 CDT 2013
Hey Rich and Li Zhong,
On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> Looks good, thanks for the patch Li Zhong. it has been committed.
>
> --Rich
>
> Reviewed-by: Rich Johnston <rjohnston at sgi.com>
>
> commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> Author: Li Zhong <zhong at linux.vnet.ibm.com>
> Date: Mon Aug 12 06:11:01 2013 +0000
>
> xfsprogs: fix Out-of-bounds access in repair/dinode.c
>
> On 08/12/2013 01:11 AM, Li Zhong wrote:
> >Following is reported by coverity in bug 1061528:
> >
> >187 __dirty_no_modify_ret(dirty);
> >
> >CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
> >188 memset(dinoc->di_pad, 0, 16);
> >
> >It seems that di_pad here should be di_pad2, as sekharan pointed out.
> >
> >Signed-off-by: Li Zhong <zhong at linux.vnet.ibm.com>
> >---
> > repair/dinode.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/repair/dinode.c b/repair/dinode.c
> >index e607f0b..94bf2f8 100644
> >--- a/repair/dinode.c
> >+++ b/repair/dinode.c
> >@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
> > }
> >
> > for (i = 0; i < 16; i++) {
> >- if (dinoc->di_pad[i] != 0) {
> >+ if (dinoc->di_pad2[i] != 0) {
> > __dirty_no_modify_ret(dirty);
> >- memset(dinoc->di_pad, 0, 16);
> >+ memset(dinoc->di_pad2, 0, 16);
> > break;
> > }
> > }
We also discussed this issue a bit in this thread:
http://oss.sgi.com/archives/xfs/2013-08/msg00228.html
Looks like the loop itself is incorrect and should be removed, and Eric has
suggested that the conditional be changed to a memcmp in case the size of the
pad changes in the future. Would either of you care to spin up another patch
to clean it up?
Thanks,
Ben
More information about the xfs
mailing list