From: Nikhil Kshirsagar <nkshirsa@redhat.com>
To: linux-raid@vger.kernel.org
Subject: [PATCH] mdadm --detail --scan causes SIGABRT
Date: Fri, 10 Jun 2016 09:50:40 +0530 [thread overview]
Message-ID: <575A4018.8050500@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3701 bytes --]
Please find attached a patch to fix BZ 1343809.
Details:
mdadm has a buffer overflow if mdinfo->sys_name needs to store a name
larger than 20 characters.
Core was generated by `mdadm --detail /dev/md0'.
Program terminated with signal 6, Aborted.
#0 0x0000003a93e325e5 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) where
#0 0x0000003a93e325e5 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0000003a93e33dc5 in abort () at abort.c:92
#2 0x0000003a93e704f7 in __libc_message (do_abort=2, fmt=0x3a93f578cf
"*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3 0x0000003a93f026d7 in __fortify_fail (msg=0x3a93f57875 "buffer
overflow detected") at fortify_fail.c:32
#4 0x0000003a93f005c0 in __chk_fail () at chk_fail.c:29
#5 0x000000000044fe59 in strcpy (fd=<value optimized out>, devnm=<value
optimized out>, options=<value optimized out>) at
/usr/include/bits/string3.h:105
#6 sysfs_read (fd=<value optimized out>, devnm=<value optimized out>,
options=<value optimized out>) at sysfs.c:272
#7 0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0",
c=0x7fffe35ef590) at Detail.c:106
#8 0x0000000000405ed3 in misc_list (argc=<value optimized out>,
argv=<value optimized out>) at mdadm.c:1747
#9 main (argc=<value optimized out>, argv=<value optimized out>) at
mdadm.c:1425
(gdb)
The line that causes the fault is "sysfs.c" line 272
strcpy(dev->sys_name, de->d_name);
(gdb) print *de
$9 = {d_ino = 14458, d_off = 14471, d_reclen = 40, d_type = 4 '\004',
d_name =
"dev-oczpcie_23_0_ssd\000\207\070\000\000\000\000\000\000\264\070\000\000\000\000\000\000(\000\004dev-oczpcie_11_0_ssd\000\264\070\000\000\000\000\000\000\265\070\000\000\000\000\000\000
\000\bsync_action\000\b\265\070\000\000\000\000\000\000\266\070\000\000\000\000\000\000(\000\blast_sync_action\000\000\000\000\b\266\070\000\000\000\000\000\000\267\070\000\000\000\000\000\000
\000\bmismatch_cnt\000\267\070\000\000\000\000\000\000\270\070\000\000\000\000\000\000(\000\bsync_speed_min\000\000\000\000\000\000\b\270\070\000\000\000\000\000\000\271\070\000\000\000\000\000\000(\000\bsync_speed_max\000\000\000\000\000\000\b\271\070\000\000\000\000\000\000\272\070"}
(gdb)
dev-oczpcie_23_0_ssd itself is 20 bytes.
There is no place left for the terminating \0,
(gdb) ptype dev
type = struct mdinfo {
mdu_array_info_t array;
mdu_disk_info_t disk;
__u64 events;
int uuid[4];
char name[33];
long long unsigned int data_offset;
long long unsigned int new_data_offset;
long long unsigned int component_size;
long long unsigned int custom_array_size;
int reshape_active;
long long unsigned int reshape_progress;
int recovery_blocked;
long long unsigned int space_before;
long long unsigned int space_after;
union {
long long unsigned int resync_start;
long long unsigned int recovery_start;
};
long int bitmap_offset;
long unsigned int safe_mode_delay;
int new_level;
int delta_disks;
int new_layout;
int new_chunk;
int errors;
long unsigned int cache_size;
int mismatch_cnt;
char text_version[50];
int container_member;
int container_enough;
char sys_name[20]; <--- 20 .
struct mdinfo *devs;
struct mdinfo *next;
int recovery_fd;
int state_fd;
int prev_state;
int curr_state;
int next_state;
} *
(gdb)
The patch increases the size of sys_name[] to 32 bytes to match the size
of other device name arrays in the mdadm codebase. A customer reported
this issue in SFDC case 01621749.
Thanks,
nikhil.
[-- Attachment #2: 0001-Fix-for-bz-1343809.patch --]
[-- Type: text/x-patch, Size: 788 bytes --]
From 2c3b5692f8c5933e8746305f589efa4edcc00f3c Mon Sep 17 00:00:00 2001
From: Nikhil Kshirsagar <nkshirsa@redhat.com>
Date: Fri, 10 Jun 2016 08:50:10 +0530
Subject: [PATCH] Fix for bz 1343809.
The sys_name array in the mdinfo structure is 20 bytes of storage.
Increasing the size of this array to 32 bytes.
---
mdadm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mdadm.h b/mdadm.h
index b597658..eb2333a 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -235,7 +235,7 @@ struct mdinfo {
int container_enough; /* flag external handlers can set to
* indicate that subarrays have not enough (-1),
* enough to start (0), or all expected disks (1) */
- char sys_name[20];
+ char sys_name[32];
struct mdinfo *devs;
struct mdinfo *next;
--
1.8.3.1
next reply other threads:[~2016-06-10 4:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-10 4:20 Nikhil Kshirsagar [this message]
2016-06-10 15:43 ` [PATCH] mdadm --detail --scan causes SIGABRT Nikhil Kshirsagar
2016-06-10 17:11 ` Jes Sorensen
2016-06-10 17:41 ` Nikhil Kshirsagar
2016-06-10 17:48 ` Jes Sorensen
2016-06-10 18:12 ` Nikhil Kshirsagar
2016-06-13 12:32 ` Nikhil Kshirsagar
2016-06-14 17:42 ` Jes Sorensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=575A4018.8050500@redhat.com \
--to=nkshirsa@redhat.com \
--cc=linux-raid@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.