xfsprogs: fix Out-of-bounds access in repair/dinode.c

On Mon, 2013-08-26 at 12:20 -0500, Eric Sandeen wrote:
> On 8/23/13 11:38 AM, Ben Myers wrote:
> > Hey Rich and Li Zhong,
> >
> > On Wed, Aug 21, 2013 at 11:51:11AM -0500, Rich Johnston wrote:
> >> Looks good, thanks for the patch Li Zhong. it has been committed.
> >>
> >> --Rich
> >>
> >> Reviewed-by: Rich Johnston <rjohnston@sgi.com>
> >>
> >> commit e7c05095f5baa9cd2e35a6de03d7dd9f51dd3910
> >> Author: Li Zhong <zhong@linux.vnet.ibm.com>
> >> Date:   Mon Aug 12 06:11:01 2013 +0000
> >>
> >>     xfsprogs: fix Out-of-bounds access in repair/dinode.c
> >>
> >> On 08/12/2013 01:11 AM, Li Zhong wrote:
> >>> Following is reported by coverity in bug 1061528:
> >>>
> >>> 187                        __dirty_no_modify_ret(dirty);
> >>>
> >>> CID 1061528 (#1 of 1): Out-of-bounds access (OVERRUN)53. overrun-buffer-arg: Overrunning array "dinoc->di_pad" of 6 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
> >>> 188                        memset(dinoc->di_pad, 0, 16);
> >>>
> >>> It seems that di_pad here should be di_pad2, as sekharan pointed out.
> >>>
> >>> Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
> >>> ---
> >>>  repair/dinode.c | 4 ++--
> >>>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>>
> >>> diff --git a/repair/dinode.c b/repair/dinode.c
> >>> index e607f0b..94bf2f8 100644
> >>> --- a/repair/dinode.c
> >>> +++ b/repair/dinode.c
> >>> @@ -183,9 +183,9 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
> >>>  	}
> >>>
> >>>  	for (i = 0; i < 16; i++) {
> >>> -		if (dinoc->di_pad[i] != 0) {
> >>> +		if (dinoc->di_pad2[i] != 0) {
> >>>  			__dirty_no_modify_ret(dirty);
> >>> -			memset(dinoc->di_pad, 0, 16);
> >>> +			memset(dinoc->di_pad2, 0, 16);
> >>>  			break;
> >>>  		}
> >>>  	}
> >
> > We also discussed this issue a bit in this thread:
> > http://oss.sgi.com/archives/xfs/2013-08/msg00228.html
> >
> > Looks like the loop itself is incorrect and should be removed, and Eric has
> > suggested that the conditional be changed to a memcmp in case the size of the
> > pad changes in the future.  Would either of you care to spin up another patch
> > to clean it up?
>
> I think I was confused; it seems fine as it is in git, not sure what I was
> thinking.
>
> memcmp can't use a bare "0" as an arg, so it's not ideal to use either.
>
> Not a huge fan of the hard-coded 16, but I think the code is correct now; we
> can probably move on to real problems.  ;)

OK :) Or maybe we could improve it with the calculation using sizeof as
below(which I posted in another thread)?

Thanks, Zhong

diff --git a/repair/dinode.c b/repair/dinode.c
index b2b9a9501817c99203766db8a637fc88f0de8944..7469fc816897c5da2ab4c1516e0aff5ff6ba5588 100644 (file)
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -182,10 +182,10 @@ clear_dinode_core(struct xfs_mount *mp, xfs_dinode_t *dinoc, xfs_ino_t ino_num)
                platform_uuid_copy(&dinoc->di_uuid, &mp->m_sb.sb_uuid);
        }
 
-       for (i = 0; i < 16; i++) {
+       for (i = 0; i < sizeof(dinoc->di_pad2)/sizeof(dinoc->di_pad2[0]); i++) {
                if (dinoc->di_pad2[i] != 0) {
                        __dirty_no_modify_ret(dirty);
-                       memset(dinoc->di_pad2, 0, 16);
+                       memset(dinoc->di_pad2, 0, sizeof(dinoc->di_pad2));
                        break;
                }
        }