From e95cb110c412830ba99f87510ae2b7c26d2de4f8 Mon Sep 17 00:00:00 2001 From: Christine Caulfield Date: Fri, 1 Sep 2023 09:05:20 +0100 Subject: [PATCH] blackbox: fix buffer overflow with long log lines Resolves: rhbz#2236171 --- bz2236171-fix-bb-overflow.patch | 51 +++++++++++++++++++++++++++++++++ libqb.spec | 10 +++++-- 2 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 bz2236171-fix-bb-overflow.patch diff --git a/bz2236171-fix-bb-overflow.patch b/bz2236171-fix-bb-overflow.patch new file mode 100644 index 0000000..9ddc47f --- /dev/null +++ b/bz2236171-fix-bb-overflow.patch @@ -0,0 +1,51 @@ +commit 1bbaa929b77113532785c408dd1b41cd0521ffc8 +Author: Chrissie Caulfield +Date: Thu Jul 20 07:19:01 2023 +0100 + + log: fix potential overflow with long log messages (#490) + + qb_vsnprintf_serialize was called with 'max_size' as the + limiting number for the length of the formatted log + message. But the buffer also needs to contain the + log header (given by 'actual_size'), so we now pass + 't->max_line_length' as the maximum length of the + formatted log message to limit space to the actual + bytes left + + Also added error checks to the blackbox calls at + the end of the test, as these now provide a proper + test that the BB is functioning. Before they were + masking failures. + +diff --git a/lib/log_blackbox.c b/lib/log_blackbox.c +index 3e30504..8519a48 100644 +--- a/lib/log_blackbox.c ++++ b/lib/log_blackbox.c +@@ -110,8 +110,8 @@ _blackbox_vlogger(int32_t target, + chunk += sizeof(uint32_t); + + /* log message */ +- msg_len = qb_vsnprintf_serialize(chunk, max_size, cs->format, ap); +- if (msg_len >= max_size) { ++ msg_len = qb_vsnprintf_serialize(chunk, t->max_line_length, cs->format, ap); ++ if (msg_len >= t->max_line_length) { + chunk = msg_len_pt + sizeof(uint32_t); /* Reset */ + + /* Leave this at QB_LOG_MAX_LEN so as not to overflow the blackbox */ +diff --git a/tests/check_log.c b/tests/check_log.c +index 039a4bb..e5abf40 100644 +--- a/tests/check_log.c ++++ b/tests/check_log.c +@@ -832,8 +832,10 @@ START_TEST(test_log_long_msg) + qb_log(LOG_INFO, "Message %d %d - %s", lpc, lpc%600, buffer); + } + +- qb_log_blackbox_write_to_file("blackbox.dump"); +- qb_log_blackbox_print_from_file("blackbox.dump"); ++ rc = qb_log_blackbox_write_to_file("blackbox.dump"); ++ ck_assert_int_gt(rc, 0); ++ rc = qb_log_blackbox_print_from_file("blackbox.dump"); ++ ck_assert_int_le(rc, 0); + unlink("blackbox.dump"); + qb_log_fini(); + } diff --git a/libqb.spec b/libqb.spec index ca2d3b9..37006d0 100644 --- a/libqb.spec +++ b/libqb.spec @@ -3,7 +3,7 @@ Name: libqb Version: 2.0.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Library providing high performance logging, tracing, ipc, and poll License: LGPLv2+ @@ -11,6 +11,7 @@ URL: https://github.com/ClusterLabs/libqb Source0: https://github.com/ClusterLabs/libqb/releases/download/v%{version}/%{name}-%{version}.tar.xz Patch0: bz2149647-connretry-recv.patch +Patch1: bz2236171-fix-bb-overflow.patch BuildRequires: autoconf automake libtool BuildRequires: check-devel @@ -31,8 +32,7 @@ architecture, such as logging, tracing, inter-process communication (IPC), and polling. %prep -%setup -q -n %{name}-%{version} -%patch0 -p1 -b .bz2149647-connretry-recv.patch +%autosetup -p1 %build ./autogen.sh @@ -105,6 +105,10 @@ This package contains a program to create nicely-formatted man pages from Doxyge %changelog +* Fri Sep 1 2023 Christine Caulfield 2.0.6-3 +- blackbox: fix buffer overflow with long log lines + Resolves: rhbz#2236171 + * Thu Dec 1 2022 Christine Caulfield 2.0.6-1 - ipc: Retry receiving credentials if the the message is short Resolves: rhbz2149647