device-mapper-multipath/0007-libmultipath-fix-length-issues-in-get_vpd_sgio.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Benjamin Marzinski <bmarzins@redhat.com>
Date: Fri, 27 Jul 2018 15:36:01 -0500
Subject: [PATCH] libmultipath: fix length issues in get_vpd_sgio

When get_vpd_sgio() finds out that the vpd info needed to be truncated
to fit in the buffer, it doesn't trucate the size as well,  which allows
it to overwrite the buffer. Also, in once len is set to -ENODATA,
get_vpd_sgio() should exit, instead of using the negative len in
memcpy(). Found by coverity.

Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
---
 libmultipath/discovery.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
index 0b1855d..3e0db7f 100644
--- a/libmultipath/discovery.c
+++ b/libmultipath/discovery.c
@@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int maxlen)
 		return -ENODATA;
 	}
 	buff_len = get_unaligned_be16(&buff[2]) + 4;
-	if (buff_len > 4096)
+	if (buff_len > 4096) {
 		condlog(3, "vpd pg%02x page truncated", pg);
-
+		buff_len = 4096;
+	}
 	if (pg == 0x80)
 		len = parse_vpd_pg80(buff, str, maxlen);
 	else if (pg == 0x83)
 		len = parse_vpd_pg83(buff, buff_len, str, maxlen);
 	else if (pg == 0xc9 && maxlen >= 8) {
-		len = buff_len < 8 ? -ENODATA :
-			(buff_len <= maxlen ? buff_len : maxlen);
-		memcpy (str, buff, len);
+		if (buff_len < 8)
+			len = -ENODATA;
+		else {
+			len = (buff_len <= maxlen)? buff_len : maxlen;
+			memcpy (str, buff, len);
+		}
 	} else
 		len = -ENOSYS;
 
-- 
2.7.4
device-mapper-multipath-0.7.7-6.git1a8625a - Update Source to latest upstream commit * Previous patches 0001-0011 are included in this commit - Rename files * Previous patches 0012-0019 are now patches 0021-0028 - Add 0001-libmultipath-fix-tur-checker-timeout.patch - Add 0002-libmultipath-fix-tur-checker-double-locking.patch - Add 0003-libmultipath-fix-tur-memory-misuse.patch - Add 0004-libmultipath-cleanup-tur-locking.patch - Add 0005-libmultipath-fix-tur-checker-timeout-issue.patch * The above 5 patches cleanup locking issues with the tur checker threads - Add 0006-libmultipath-fix-set_int-error-path.patch - Add 0007-libmultipath-fix-length-issues-in-get_vpd_sgio.patch - Add 0008-libmultipath-_install_keyword-cleanup.patch - Add 0009-libmultipath-remove-unused-code.patch - Add 0010-libmultipath-fix-memory-issue-in-path_latency-prio.patch - Add 0011-libmultipath-fix-null-dereference-int-alloc_path_gro.patch - Add 0012-libmutipath-don-t-use-malformed-uevents.patch - Add 0013-multipath-fix-max-array-size-in-print_cmd_valid.patch - Add 0014-multipathd-function-return-value-tweaks.patch - Add 0015-multipathd-minor-fixes.patch - Add 0016-multipathd-remove-useless-check-and-fix-format.patch - Add 0017-multipathd-fix-memory-leak-on-error-in-configure.patch * The above 12 patches fix minor issues found by coverity - Add 0018-libmultipath-Don-t-blank-intialized-paths.patch - Add 0019-libmultipath-Fixup-updating-paths.patch * Fix issues with paths whose wwid was not set or later changes - Add 0020-multipath-tweak-logging-style.patch * multipathd interactive commands now send errors to stderr, instead of syslog * The above 20 patches have been submitted upstream 2018-09-27 22:56:43 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Benjamin Marzinski <bmarzins@redhat.com>`
			`Date: Fri, 27 Jul 2018 15:36:01 -0500`
			`Subject: [PATCH] libmultipath: fix length issues in get_vpd_sgio`

			`When get_vpd_sgio() finds out that the vpd info needed to be truncated`
			`to fit in the buffer, it doesn't trucate the size as well, which allows`
			`it to overwrite the buffer. Also, in once len is set to -ENODATA,`
			`get_vpd_sgio() should exit, instead of using the negative len in`
			`memcpy(). Found by coverity.`

			`Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>`
			`---`
			`libmultipath/discovery.c \| 14 +++++++++-----`
			`1 file changed, 9 insertions(+), 5 deletions(-)`

			`diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c`
			`index 0b1855d..3e0db7f 100644`
			`--- a/libmultipath/discovery.c`
			`+++ b/libmultipath/discovery.c`
			`@@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int maxlen)`
			`return -ENODATA;`
			`}`
			`buff_len = get_unaligned_be16(&buff[2]) + 4;`
			`- if (buff_len > 4096)`
			`+ if (buff_len > 4096) {`
			`condlog(3, "vpd pg%02x page truncated", pg);`
			`-`
			`+ buff_len = 4096;`
			`+ }`
			`if (pg == 0x80)`
			`len = parse_vpd_pg80(buff, str, maxlen);`
			`else if (pg == 0x83)`
			`len = parse_vpd_pg83(buff, buff_len, str, maxlen);`
			`else if (pg == 0xc9 && maxlen >= 8) {`
			`- len = buff_len < 8 ? -ENODATA :`
			`- (buff_len <= maxlen ? buff_len : maxlen);`
			`- memcpy (str, buff, len);`
			`+ if (buff_len < 8)`
			`+ len = -ENODATA;`
			`+ else {`
			`+ len = (buff_len <= maxlen)? buff_len : maxlen;`
			`+ memcpy (str, buff, len);`
			`+ }`
			`} else`
			`len = -ENOSYS;`

			`--`
			`2.7.4`