ASan reported following global-buffer-overflow:
READ of size 1 at 0x7f50dc6b3e9f thread T0
#0 0x... in cg_concat_path <src>/src/api.c:1769
#1 0x... in cg_build_path_locked <src>/src/api.c:1889
#2 0x... in cg_build_path <src>/src/api.c:1910
#3 0x.. in systemd_default_cgroup_exists <src>/src/config.c:2258
#4 0x.. in cgroup_set_default_systemd_cgroup <src>/src/config.c:2306
#5 0x... in main <src>/src/tools/cgdelete.c:193
#6 0x... in __libc_start_call_main (/lib64/libc.so.6+0x2a60f)
#7 0x... in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a6bf)
#8 0x... in _start (/usr/local/bin/cgdelete+0x402384)
0x... sits one byte to the left of the empty string literal '.LC3' that
systemd_default_cgroup_exists() handed to cg_build_path(). Passing an
empty suffix made cg_concat_path() evaluate suf[-1] while it decided
whether to append a trailing slash, triggering the ASan
global-buffer-overflow.
Fix by passing NULL, instead of "" (empty string) so cg_build_path()
skips the suffix concatenation entirely. The resulting canonical paths
are unchanged, but cgdelete (and any other caller) now runs without
trampling the adjacent literal.
Fixes: https://github.com/libcgroup/libcgroup/issues/526
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* check for empty cgroup v2, the most common usage in
* the hybrid case.
*/
- if (cg_build_path("", path, NULL))
+ if (cg_build_path(NULL, path, NULL))
break;
case CGROUP_MODE_UNIFIED:
/* fallthrough */
case CGROUP_MODE_LEGACY:
- cg_build_path("", path, "cpu");
+ cg_build_path(NULL, path, "cpu");
/* fallthrough */
case CGROUP_MODE_UNK:
break;
projects / thirdparty / libcgroup.git / commitdiff
