Re: [PATCH 1/1] mdadm/platform-intel: Fix buffer overflow

Xiao Ni <xni@xxxxxxxxxx> · Tue, 28 May 2024 14:58:27 +0800

On Tue, May 28, 2024 at 1:10 PM Paul Menzel <pmenzel@xxxxxxxxxxxxx> wrote:
>
> Dear Xiao,
>
>
> Thank you for your patch.
>
> Am 28.05.24 um 04:29 schrieb Xiao Ni:
> > It reports buffer overflow detected when creating raid with big
> > nvme devices. In my test, the size of the nvme device is 1.5T.
>
> I always like the error message and example command pasted, so chances
> are higher for affected people to find this in search engine.

Hi Paul

Thanks for the suggestion.

mdadm -CR /dev/md0 -l1 -n2 /dev/nvme0n1 /dev/nvme2n1
*** buffer overflow detected ***: terminated
Aborted (core dumped)

nvme0n1                        259:3    0   1.5T  0 disk
nvme2n1                        259:5    0   1.5T  0 disk

>
> > It can't reproduce this with nvme device which size is smaller
>
> s/It/I/?

Thanks. I want to type "It can't be reproduced" :)
>
> > than 1T.
> >
> > In function get_nvme_multipath_dev_hw_path it allocs memory in a for
> > loop and the size it allocs is big. So if the iteration number is
> > large, it has a risk that the stack space is larger than the limit.
> > So move the memory allocation at the biginning of the funtion.
>
> … move … *to* the b*e*ginning of the fun*c*tion.

Thanks.

Regards
Xiao
>
> > Fixes: d835518b6b53 ('imsm: nvme multipath support')
> > Reported-by: Guang Wu <guazhang@xxxxxxxxxx>
> > Signed-off-by: Xiao Ni <xni@xxxxxxxxxx>
> > ---
> >   platform-intel.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/platform-intel.c b/platform-intel.c
> > index 15a9fa5a..0732af2b 100644
> > --- a/platform-intel.c
> > +++ b/platform-intel.c
> > @@ -898,6 +898,7 @@ char *get_nvme_multipath_dev_hw_path(const char *dev_path)
> >       DIR *dir;
> >       struct dirent *ent;
> >       char *rp = NULL;
> > +     char buf[PATH_MAX];
> >
> >       if (strncmp(dev_path, NVME_SUBSYS_PATH, strlen(NVME_SUBSYS_PATH)) != 0)
> >               return NULL;
> > @@ -907,14 +908,13 @@ char *get_nvme_multipath_dev_hw_path(const char *dev_path)
> >               return NULL;
> >
> >       for (ent = readdir(dir); ent; ent = readdir(dir)) {
> > -             char buf[strlen(dev_path) + strlen(ent->d_name) + 1];
> >
> >               /* Check if dir is a controller, ignore namespaces*/
> >               if (!(strncmp(ent->d_name, "nvme", 4) == 0) ||
> >                   (strrchr(ent->d_name, 'n') != &ent->d_name[0]))
> >                       continue;
> >
> > -             sprintf(buf, "%s/%s", dev_path, ent->d_name);
> > +             snprintf(buf, PATH_MAX, "%s/%s", dev_path, ent->d_name);
> >               rp = realpath(buf, NULL);
> >               break;
> >       }
>
>
> Kind regards,
>
> Paul
>