Linux RAID subsystem development
 help / color / mirror / Atom feed
* [PATCH] mdopen: prevent named arrays devices from buffer overflow
@ 2017-08-03 16:48 jcejka
  2017-08-10  9:32 ` [PATCH v2] " jcejka
  0 siblings, 1 reply; 2+ messages in thread
From: jcejka @ 2017-08-03 16:48 UTC (permalink / raw)
  To: linux-raid; +Cc: Josef Cejka

From: Josef Cejka <jcejka@suse.com>

Device names md_XXX for named arrays must fit into 32 bytes
and longer strings provided by user should be rejected. Now they
corrupt the stack (overwrite following devname[] buffer) and
(if not detected) create arrays using old create_on_open
mechanism because write to new_array fails with E2BIG.

Reproducer:
mdadm -A /dev/md/abcdefghijklmnopqrstuvwxyz123 --uuid=...

Signed-off-by: Josef Cejka <jcejka@suse.com>
---
 mdopen.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/mdopen.c b/mdopen.c
index 0f3a244..fd8a1db 100644
--- a/mdopen.c
+++ b/mdopen.c
@@ -314,7 +314,10 @@ int create_mddev(char *dev, char *name, int autof, int trustworthy,
 	if (num < 0 && cname && ci->names) {
 		int fd;
 		int n = -1;
-		sprintf(devnm, "md_%s", cname);
+		if (snprintf(devnm, sizeof(devnm), "md_%s", cname) >= sizeof(devnm)) {
+			pr_err("Device name md_%s must be shorter than %d bytes.\n", cname, sizeof(devnm));
+			return -1;
+		}
 		if (block_udev)
 			udev_block(devnm);
 		fd = open("/sys/module/md_mod/parameters/new_array", O_WRONLY);
@@ -364,7 +367,10 @@ int create_mddev(char *dev, char *name, int autof, int trustworthy,
 			udev_block(devnm);
 	}
 
-	sprintf(devname, "/dev/%s", devnm);
+	if (snprintf(devname, sizeof(devname), "/dev/%s", devnm) >= sizeof(devname)) {
+		pr_err("Device path /dev/%s must be shorter than %d bytes.\n", devnm, sizeof(devname));
+		return -1;
+	}
 
 	if (dev && dev[0] == '/')
 		strcpy(chosen, dev);
-- 
2.12.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-08-10  9:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-03 16:48 [PATCH] mdopen: prevent named arrays devices from buffer overflow jcejka
2017-08-10  9:32 ` [PATCH v2] " jcejka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox