From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111]) by oss.sgi.com (Postfix) with ESMTP id 40C1A7F3F for ; Mon, 26 Aug 2013 20:58:46 -0500 (CDT) Received: from cuda.sgi.com (cuda2.sgi.com [192.48.176.25]) by relay1.corp.sgi.com (Postfix) with ESMTP id 18E298F8039 for ; Mon, 26 Aug 2013 18:58:46 -0700 (PDT) Received: from e23smtp08.au.ibm.com (e23smtp08.au.ibm.com [202.81.31.141]) by cuda.sgi.com with ESMTP id CwinpmmCxa9gpYkL (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Mon, 26 Aug 2013 18:58:44 -0700 (PDT) Received: from /spool/local by e23smtp08.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 27 Aug 2013 11:55:23 +1000 Received: from d23relay03.au.ibm.com (d23relay03.au.ibm.com [9.190.235.21]) by d23dlp03.au.ibm.com (Postfix) with ESMTP id 91A5E3578054 for ; Tue, 27 Aug 2013 11:58:38 +1000 (EST) Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay03.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r7R1wR0G42795020 for ; Tue, 27 Aug 2013 11:58:27 +1000 Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r7R1wcA9029542 for ; Tue, 27 Aug 2013 11:58:38 +1000 Message-ID: <1377568714.2502.15.camel@ThinkPad-T5421> Subject: Re: [PATCH] xfsprogs: fix Out-of-bounds access in repair/dinode.c From: Li Zhong Date: Tue, 27 Aug 2013 09:58:34 +0800 In-Reply-To: <521B8E51.6090405@sandeen.net> References: <1376287861.2822.13.camel@ThinkPad-T5421> <5214EFFF.4060105@sgi.com> <20130823163828.GS5262@sgi.com> <521B8E51.6090405@sandeen.net> Mime-Version: 1.0 List-Id: XFS Filesystem from SGI List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: xfs-bounces@oss.sgi.com Sender: xfs-bounces@oss.sgi.com To: Eric Sandeen Cc: Ben Myers , Rich Johnston , Chandra Seetharaman , xfsprogs On Mon, 2013-08-26 at 12:20 -0500, Eric Sandeen wrote: > On 8/23/13 11:38 AM, Ben Myers wrote: > > Hey Rich and Li Zhong, > > > > On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote: > >> Looks good, thanks for the patch Li Zhong. it has been committed. > >> > >> --Rich > >> > >> Reviewed-by: Rich Johnston > >> > >> commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910 > >> Author: Li Zhong > >> Date: Mon Aug 12 06:11:01 2013 +0000 > >> > >> xfsprogs: fix Out-of-bounds access in repair/dinode.c > >> > >> On 08/12/2013 01:11 AM, Li Zhong wrote: > >>> Following is reported by coverity in bug 1061528: > >>> > >>> 187 __dirty_no_modify_ret(dirty); > >>> > >>> CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL". > >>> 188 memset(dinoc->di_pad, 0, 16); > >>> > >>> It seems that di_pad here should be di_pad2, as sekharan pointed out. > >>> > >>> Signed-off-by: Li Zhong > >>> --- > >>> repair/dinode.c | 4 ++-- > >>> 1 file changed, 2 insertions(+), 2 deletions(-) > >>> > >>> diff --git a/repair/dinode.c b/repair/dinode.c > >>> index e607f0b..94bf2f8 100644 > >>> --- a/repair/dinode.c > >>> +++ b/repair/dinode.c > >>> @@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num) > >>> } > >>> > >>> for (i = 0; i < 16; i++) { > >>> - if (dinoc->di_pad[i] != 0) { > >>> + if (dinoc->di_pad2[i] != 0) { > >>> __dirty_no_modify_ret(dirty); > >>> - memset(dinoc->di_pad, 0, 16); > >>> + memset(dinoc->di_pad2, 0, 16); > >>> break; > >>> } > >>> } > > > > We also discussed this issue a bit in this thread: > > http://oss.sgi.com/archives/xfs/2013-08/msg00228.html > > > > Looks like the loop itself is incorrect and should be removed, and Eric has > > suggested that the conditional be changed to a memcmp in case the size of the > > pad changes in the future. Would either of you care to spin up another patch > > to clean it up? > > I think I was confused; it seems fine as it is in git, not sure what I was > thinking. > > memcmp can't use a bare "0" as an arg, so it's not ideal to use either. > > Not a huge fan of the hard-coded 16, but I think the code is correct now; we > can probably move on to real problems. ;) OK :) Or maybe we could improve it with the calculation using sizeof as below(which I posted in another thread)? Thanks, Zhong --- diff --git a/repair/dinode.c b/repair/dinode.c index b2b9a95..7469fc8 100644 --- a/repair/dinode.c +++ b/repair/dinode.c @@ -182,10 +182,10 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num) platform_uuid_copy(&dinoc->di_uuid, &mp->m_sb.sb_uuid); } - for (i = 0; i < 16; i++) { + for (i = 0; i < sizeof(dinoc->di_pad2)/sizeof(dinoc->di_pad2[0]); i++) { if (dinoc->di_pad2[i] != 0) { __dirty_no_modify_ret(dirty); - memset(dinoc->di_pad2, 0, 16); + memset(dinoc->di_pad2, 0, sizeof(dinoc->di_pad2)); break; } } _______________________________________________ xfs mailing list xfs@oss.sgi.com http://oss.sgi.com/mailman/listinfo/xfs