On Fri, 2013-08-23 at 11:38 -0500, Ben Myers wrote:
> Hey Rich and Li Zhong,
>
> On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> > Looks good, thanks for the patch Li Zhong. it has been committed.
> >
> > --Rich
> >
> > Reviewed-by: Rich Johnston <rjohnston@xxxxxxx>
> >
> > commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> > Author: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> > Date: Mon Aug 12 06:11:01 2013 +0000
> >
> > xfsprogs: fix Out-of-bounds access in repair/dinode.c
> >
> > On 08/12/2013 01:11 AM, Li Zhong wrote:
> > >Following is reported by coverity in bug 1061528:
> > >
> > >187 __dirty_no_modify_ret(dirty);
> > >
> > >CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
> > >188 memset(dinoc->di_pad, 0, 16);
> > >
> > >It seems that di_pad here should be di_pad2, as sekharan pointed out.
> > >
> > >Signed-off-by: Li Zhong <zhong@xxxxxxxxxxxxxxxxxx>
> > >---
> > > repair/dinode.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > >diff --git a/repair/dinode.c b/repair/dinode.c
> > >index e607f0b..94bf2f8 100644
> > >--- a/repair/dinode.c
> > >+++ b/repair/dinode.c
> > >@@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
> > > }
> > >
> > > for (i = 0; i < 16; i++) {
> > >- if (dinoc->di_pad[i] != 0) {
> > >+ if (dinoc->di_pad2[i] != 0) {
> > > __dirty_no_modify_ret(dirty);
> > >- memset(dinoc->di_pad, 0, 16);
> > >+ memset(dinoc->di_pad2, 0, 16);
> > > break;
> > > }
> > > }
>
> We also discussed this issue a bit in this thread:
> http://oss.sgi.com/archives/xfs/2013-08/msg00228.html
>
> Looks like the loop itself is incorrect and should be removed, and Eric has
> suggested that the conditional be changed to a memcmp in case the size of the
> pad changes in the future. Would either of you care to spin up another patch
> to clean it up?
Hi Ben,
If I understand correctly, we need to change 16 to be a sizeof the
di_pad2 array(like the fix attached below)?
It seems to me that the loop is needed to check all of the 16 entries in
the array?
Thanks, Zhong
---
diff --git a/repair/dinode.c b/repair/dinode.c
index b2b9a95..7469fc8 100644
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -182,10 +182,10 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
platform_uuid_copy(&dinoc->di_uuid, &mp->m_sb.sb_uuid);
}
- for (i = 0; i < 16; i++) {
+ for (i = 0; i < sizeof(dinoc->di_pad2)/sizeof(dinoc->di_pad2[0]); i++) {
if (dinoc->di_pad2[i] != 0) {
__dirty_no_modify_ret(dirty);
- memset(dinoc->di_pad2, 0, 16);
+ memset(dinoc->di_pad2, 0, sizeof(dinoc->di_pad2));
break;
}
}
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
