From: Li Zhong <zhong@linux.vnet.ibm.com>
To: Ben Myers <bpm@sgi.com>
Cc: Rich Johnston <rjohnston@sgi.com>,
Chandra Seetharaman <sekharan@us.ibm.com>,
xfsprogs <xfs@oss.sgi.com>
Subject: Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c
Date: Tue, 27 Aug 2013 09:57:07 +0800 [thread overview]
Message-ID: <1377568627.2502.13.camel@ThinkPad-T5421> (raw)
In-Reply-To: <20130826165123.GW7153@sgi.com>
On Mon, 2013-08-26 at 11:51 -0500, Ben Myers wrote:
> Hey Zhong,
>
> On Mon, Aug 26, 2013 at 10:15:27AM +0800, Li Zhong wrote:
> > On Fri, 2013-08-23 at 11:38 -0500, Ben Myers wrote:
> > > Hey Rich and Li Zhong,
> > >
> > > On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> > > > Looks good, thanks for the patch Li Zhong. it has been committed.
> > > >
> > > > --Rich
> > > >
> > > > Reviewed-by: Rich Johnston <rjohnston@sgi.com>
> > > >
> > > > commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> > > > Author: Li Zhong <zhong@linux.vnet.ibm.com>
> > > > Date: Mon Aug 12 06:11:01 2013 +0000
> > > >
> > > > xfsprogs: fix Out-of-bounds access in repair/dinode.c
> > > >
> > > > On 08/12/2013 01:11 AM, Li Zhong wrote:
> > > > >Following is reported by coverity in bug 1061528:
> > > > >
> > > > >187 __dirty_no_modify_ret(dirty);
> > > > >
> > > > >CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
> > > > >188 memset(dinoc->di_pad, 0, 16);
> > > > >
> > > > >It seems that di_pad here should be di_pad2, as sekharan pointed out.
> > > > >
> > > > >Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
> > > > >---
> > > > > repair/dinode.c | 4 ++--
> > > > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > > > >
> > > > >diff --git a/repair/dinode.c b/repair/dinode.c
> > > > >index e607f0b..94bf2f8 100644
> > > > >--- a/repair/dinode.c
> > > > >+++ b/repair/dinode.c
> > > > >@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
> > > > > }
> > > > >
> > > > > for (i = 0; i < 16; i++) {
> > > > >- if (dinoc->di_pad[i] != 0) {
> > > > >+ if (dinoc->di_pad2[i] != 0) {
> > > > > __dirty_no_modify_ret(dirty);
> > > > >- memset(dinoc->di_pad, 0, 16);
> > > > >+ memset(dinoc->di_pad2, 0, 16);
> > > > > break;
> > > > > }
> > > > > }
> > >
> > > We also discussed this issue a bit in this thread:
> > > http://oss.sgi.com/archives/xfs/2013-08/msg00228.html
> > >
> > > Looks like the loop itself is incorrect and should be removed, and Eric has
> > > suggested that the conditional be changed to a memcmp in case the size of the
> > > pad changes in the future. Would either of you care to spin up another patch
> > > to clean it up?
> >
> > Hi Ben,
> >
> > If I understand correctly, we need to change 16 to be a sizeof the
> > di_pad2 array(like the fix attached below)?
> >
> > It seems to me that the loop is needed to check all of the 16 entries in
> > the array?
>
> You are correct. We need the loop...
>
> > Thanks, Zhong
> >
> > ---
> > diff --git a/repair/dinode.c b/repair/dinode.c
> > index b2b9a95..7469fc8 100644
> > --- a/repair/dinode.c
> > +++ b/repair/dinode.c
> > @@ -182,10 +182,10 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
> > platform_uuid_copy(&dinoc->di_uuid, &mp->m_sb.sb_uuid);
> > }
> >
> > - for (i = 0; i < 16; i++) {
> > + for (i = 0; i < sizeof(dinoc->di_pad2)/sizeof(dinoc->di_pad2[0]); i++) {
>
> Just sizeof(dinoc->di_pad2) would be enough here, right? No need for the
> division I think.
I think the division could be used to calculate the number of elements
in the array(16). But yes, in this case, as the element in the array is
1 byte in size, so it's the same whether we add the division or not.
>
> > if (dinoc->di_pad2[i] != 0) {
> > __dirty_no_modify_ret(dirty);
> > - memset(dinoc->di_pad2, 0, 16);
> > + memset(dinoc->di_pad2, 0, sizeof(dinoc->di_pad2));
> ^^^^^^^^^^^^^^^^^^^^^^
>
> That guy will return 16, so we'll memset off the end of di_pad2.
> sizeof(dinoc->di_pad2[0]) would work.
I think we need to memset the whole array, if we find some non-zero
value there.
Thanks, Zhong
>
> Thanks!
> -Ben
>
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-08-27 1:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-12 6:11 [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c Li Zhong
2013-08-21 16:51 ` Rich Johnston
2013-08-23 16:38 ` Ben Myers
2013-08-26 2:15 ` Li Zhong
2013-08-26 16:51 ` Ben Myers
2013-08-27 1:57 ` Li Zhong [this message]
2013-08-26 17:20 ` Eric Sandeen
2013-08-26 17:40 ` Ben Myers
2013-08-27 2:01 ` Li Zhong
2013-08-27 1:58 ` Li Zhong
2013-10-18 16:28 ` Rich Johnston
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1377568627.2502.13.camel@ThinkPad-T5421 \
--to=zhong@linux.vnet.ibm.com \
--cc=bpm@sgi.com \
--cc=rjohnston@sgi.com \
--cc=sekharan@us.ibm.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox