From: Nikhil Kshirsagar <nkshirsa@redhat.com>
To: linux-raid@vger.kernel.org
Subject: [PATCH] mdadm --detail --scan causes SIGABRT
Date: Fri, 10 Jun 2016 09:50:40 +0530 [thread overview]
Message-ID: <575A4018.8050500@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3701 bytes --]
Please find attached a patch to fix BZ 1343809.
Details:
mdadm has a buffer overflow if mdinfo->sys_name needs to store a name
larger than 20 characters.
Core was generated by `mdadm --detail /dev/md0'.
Program terminated with signal 6, Aborted.
#0 0x0000003a93e325e5 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) where
#0 0x0000003a93e325e5 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0000003a93e33dc5 in abort () at abort.c:92
#2 0x0000003a93e704f7 in __libc_message (do_abort=2, fmt=0x3a93f578cf
"*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3 0x0000003a93f026d7 in __fortify_fail (msg=0x3a93f57875 "buffer
overflow detected") at fortify_fail.c:32
#4 0x0000003a93f005c0 in __chk_fail () at chk_fail.c:29
#5 0x000000000044fe59 in strcpy (fd=<value optimized out>, devnm=<value
optimized out>, options=<value optimized out>) at
/usr/include/bits/string3.h:105
#6 sysfs_read (fd=<value optimized out>, devnm=<value optimized out>,
options=<value optimized out>) at sysfs.c:272
#7 0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0",
c=0x7fffe35ef590) at Detail.c:106
#8 0x0000000000405ed3 in misc_list (argc=<value optimized out>,
argv=<value optimized out>) at mdadm.c:1747
#9 main (argc=<value optimized out>, argv=<value optimized out>) at
mdadm.c:1425
(gdb)
The line that causes the fault is "sysfs.c" line 272
strcpy(dev->sys_name, de->d_name);
(gdb) print *de
$9 = {d_ino = 14458, d_off = 14471, d_reclen = 40, d_type = 4 '\004',
d_name =
"dev-oczpcie_23_0_ssd\000\207\070\000\000\000\000\000\000\264\070\000\000\000\000\000\000(\000\004dev-oczpcie_11_0_ssd\000\264\070\000\000\000\000\000\000\265\070\000\000\000\000\000\000
\000\bsync_action\000\b\265\070\000\000\000\000\000\000\266\070\000\000\000\000\000\000(\000\blast_sync_action\000\000\000\000\b\266\070\000\000\000\000\000\000\267\070\000\000\000\000\000\000
\000\bmismatch_cnt\000\267\070\000\000\000\000\000\000\270\070\000\000\000\000\000\000(\000\bsync_speed_min\000\000\000\000\000\000\b\270\070\000\000\000\000\000\000\271\070\000\000\000\000\000\000(\000\bsync_speed_max\000\000\000\000\000\000\b\271\070\000\000\000\000\000\000\272\070"}
(gdb)
dev-oczpcie_23_0_ssd itself is 20 bytes.
There is no place left for the terminating \0,
(gdb) ptype dev
type = struct mdinfo {
mdu_array_info_t array;
mdu_disk_info_t disk;
__u64 events;
int uuid[4];
char name[33];
long long unsigned int data_offset;
long long unsigned int new_data_offset;
long long unsigned int component_size;
long long unsigned int custom_array_size;
int reshape_active;
long long unsigned int reshape_progress;
int recovery_blocked;
long long unsigned int space_before;
long long unsigned int space_after;
union {
long long unsigned int resync_start;
long long unsigned int recovery_start;
};
long int bitmap_offset;
long unsigned int safe_mode_delay;
int new_level;
int delta_disks;
int new_layout;
int new_chunk;
int errors;
long unsigned int cache_size;
int mismatch_cnt;
char text_version[50];
int container_member;
int container_enough;
char sys_name[20]; <--- 20 .
struct mdinfo *devs;
struct mdinfo *next;
int recovery_fd;
int state_fd;
int prev_state;
int curr_state;
int next_state;
} *
(gdb)
The patch increases the size of sys_name[] to 32 bytes to match the size
of other device name arrays in the mdadm codebase. A customer reported
this issue in SFDC case 01621749.
Thanks,
nikhil.
[-- Attachment #2: 0001-Fix-for-bz-1343809.patch --]
[-- Type: text/x-patch, Size: 788 bytes --]
From 2c3b5692f8c5933e8746305f589efa4edcc00f3c Mon Sep 17 00:00:00 2001
From: Nikhil Kshirsagar <nkshirsa@redhat.com>
Date: Fri, 10 Jun 2016 08:50:10 +0530
Subject: [PATCH] Fix for bz 1343809.
The sys_name array in the mdinfo structure is 20 bytes of storage.
Increasing the size of this array to 32 bytes.
---
mdadm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mdadm.h b/mdadm.h
index b597658..eb2333a 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -235,7 +235,7 @@ struct mdinfo {
int container_enough; /* flag external handlers can set to
* indicate that subarrays have not enough (-1),
* enough to start (0), or all expected disks (1) */
- char sys_name[20];
+ char sys_name[32];
struct mdinfo *devs;
struct mdinfo *next;
--
1.8.3.1
next reply other threads:[~2016-06-10 4:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-10 4:20 Nikhil Kshirsagar [this message]
2016-06-10 15:43 ` [PATCH] mdadm --detail --scan causes SIGABRT Nikhil Kshirsagar
2016-06-10 17:11 ` Jes Sorensen
2016-06-10 17:41 ` Nikhil Kshirsagar
2016-06-10 17:48 ` Jes Sorensen
2016-06-10 18:12 ` Nikhil Kshirsagar
2016-06-13 12:32 ` Nikhil Kshirsagar
2016-06-14 17:42 ` Jes Sorensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=575A4018.8050500@redhat.com \
--to=nkshirsa@redhat.com \
--cc=linux-raid@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).