77119010d2
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crash.git#a9cf6c58896ac8966eb358a945ba6b401833f684
65 lines
2.4 KiB
Diff
65 lines
2.4 KiB
Diff
From 9c0c6c1b3750beafe4ac6a5441c2dbe26157d548 Mon Sep 17 00:00:00 2001
|
|
From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
|
|
Date: Thu, 4 Mar 2021 20:20:30 +0900
|
|
Subject: [PATCH 6/6] tools: Fix potential write to object of 0 size
|
|
|
|
valgrind detects the following invalid write on the call of strcpy():
|
|
|
|
Invalid write of size 1
|
|
at 0x483CCFE: strcpy (vg_replace_strmem.c:511)
|
|
by 0x47202B: extract_hex (tools.c:1152)
|
|
by 0x5104ED: search_for_switch_to (x86_64.c:6342)
|
|
by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368)
|
|
by 0x51D6EE: x86_64_init (x86_64.c:721)
|
|
by 0x464A2D: main_loop (main.c:770)
|
|
by 0x6BF1B2: captured_command_loop (main.c:258)
|
|
by 0x6BD7B9: catch_errors (exceptions.c:557)
|
|
by 0x6C0235: captured_main (main.c:1064)
|
|
by 0x6BD7B9: catch_errors (exceptions.c:557)
|
|
by 0x6C04E6: gdb_main (main.c:1079)
|
|
by 0x6C04E6: gdb_main_entry (main.c:1099)
|
|
by 0x46316F: main (main.c:708)
|
|
Address 0x2b439eb8 is 0 bytes after a block of size 40 alloc'd
|
|
at 0x483BAE9: calloc (vg_replace_malloc.c:760)
|
|
by 0x471794: getbuf (tools.c:6036)
|
|
by 0x47201D: extract_hex (tools.c:1151)
|
|
by 0x5104ED: search_for_switch_to (x86_64.c:6342)
|
|
by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368)
|
|
by 0x51D6EE: x86_64_init (x86_64.c:721)
|
|
by 0x464A2D: main_loop (main.c:770)
|
|
by 0x6BF1B2: captured_command_loop (main.c:258)
|
|
by 0x6BD7B9: catch_errors (exceptions.c:557)
|
|
by 0x6C0235: captured_main (main.c:1064)
|
|
by 0x6BD7B9: catch_errors (exceptions.c:557)
|
|
by 0x6C04E6: gdb_main (main.c:1079)
|
|
by 0x6C04E6: gdb_main_entry (main.c:1099)
|
|
by 0x46316F: main (main.c:708)
|
|
|
|
This is due to strcpy() receives empty string in its 1st argument
|
|
because the size of the buffer associated with buf variable then is of
|
|
size 0 due to lack of consideration of the terminal '\0' byte.
|
|
|
|
Fix this by +1 to the buffer size for the terminal '\0' byte.
|
|
|
|
Signed-off-by: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
|
|
---
|
|
tools.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/tools.c b/tools.c
|
|
index e6978ae44ead..a26b101f6481 100644
|
|
--- a/tools.c
|
|
+++ b/tools.c
|
|
@@ -1150,7 +1150,7 @@ extract_hex(char *s, ulong *result, char stripchar, ulong first_instance)
|
|
ulong value;
|
|
char *buf;
|
|
|
|
- buf = GETBUF(strlen(s));
|
|
+ buf = GETBUF(strlen(s) + 1);
|
|
strcpy(buf, s);
|
|
argc = parse_line(buf, arglist);
|
|
|
|
--
|
|
2.29.2
|
|
|