[LU-7941] Possible buffer boundaries violation in following string operations. Created: 29/Mar/16 Updated: 10/Mar/18 Resolved: 10/Mar/18 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.9.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor |
| Reporter: | Dmitry Eremin (Inactive) | Assignee: | WC Triage |
| Resolution: | Not a Bug | Votes: | 0 |
| Labels: | kw | ||
| Severity: | 3 |
| Rank (Obsolete): | 9223372036854775807 |
| Description |
|
function 'strncpy' will fill whole buffer 'es->s_last_error_func' of fixed size (32) with string value and will not leave place for NULL-terminator. Possible buffer boundaries violation in following string operations. In ldiskfs/super.c 301 static void __save_error_info(struct super_block *sb, const char *func, 302 unsigned int line) 303 { 304 struct ldiskfs_super_block *es = LDISKFS_SB(sb)->s_es; 305 306 LDISKFS_SB(sb)->s_mount_state |= LDISKFS_ERROR_FS; 307 es->s_state |= cpu_to_le16(LDISKFS_ERROR_FS); 308 es->s_last_error_time = cpu_to_le32(get_seconds()); 309 strncpy(es->s_last_error_func, func, sizeof(es->s_last_error_func)); 310 es->s_last_error_line = cpu_to_le32(line); 311 if (!es->s_first_error_time) {...} 319 /* 320 * Start the daily error reporting function if it hasn't been 321 * started already 322 */ 323 if (!es->s_error_count) 324 mod_timer(&LDISKFS_SB(sb)->s_err_report, jiffies + 24*60*60*HZ); 325 le32_add_cpu(&es->s_error_count, 1); 326 } |
| Comments |
| Comment by Andreas Dilger [ 10/Mar/18 ] |
|
The only use of s_last_error_func explicitly limits the string printing to the buffer size, and does not depend on a NUL terminator: printk(KERN_NOTICE "EXT4-fs (%s): last error at time %u: %.*s:%d", sb->s_id, le32_to_cpu(es->s_last_error_time), (int) sizeof(es->s_last_error_func), es->s_last_error_func, le32_to_cpu(es->s_last_error_line)); |