On Mon, Mar 08, 2021 at 09:14:18AM +0100, Michal Privoznik wrote:
> For reasons unknown, when rewriting this code and dropping
> libdevmapper I've mistakenly used incorrect length of dm.name. In
> linux/dm-ioctl.h the dm_ioctl struct is defined as follows:
>
> #define DM_NAME_LEN 128
>
> struct dm_ioctl {
> ...
> char name[DM_NAME_LEN]; /* device name */
> ...
> };
>
> However, when copying string into this member, DM_TABLE_DEPS was
> used, which is defined as follows:
>
> #define DM_TABLE_DEPS _IOWR(DM_IOCTL, DM_TABLE_DEPS_CMD, struct dm_ioctl)
>
> After decryption, this results in the following size: 3241737483.
>
> Fixes: 22494556542c676d1b9e7f1c1f2ea13ac17e1e3e
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
> src/util/virdevmapper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
So we were not correctly capping the input path length. Bad
but IIUC not a security bug because the input is controlled by
a client who already has privileges equivalent to root.
>
> diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
> index fcb11e954f..2c4c2df999 100644
> --- a/src/util/virdevmapper.c
> +++ b/src/util/virdevmapper.c
> @@ -240,7 +240,7 @@ virDevMapperGetTargetsImpl(int controlFD,
> if (!(sanitizedPath = virDMSanitizepath(path)))
> return 0;
>
> - if (virStrcpy(dm.name, sanitizedPath, DM_TABLE_DEPS) < 0) {
> + if (virStrcpy(dm.name, sanitizedPath, DM_NAME_LEN) < 0) {
> virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> _("Resolved device mapper name too long"));
> return -1;
Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
