rpms/lvm2
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
lvm2/0155-pvck-fix-buffer-overflow-integer-truncation-and-type.patch
Marian Csontos 0d41e7e8af Additional patches for 9.9.0 lvm2 
Patches from upstream up to 2.03.41.

Resolves: RHEL-174324
2026-06-04 21:29:42 +02:00

86 lines
2.6 KiB
Diff
Raw Permalink Blame History

From d075514407ffda578ac763491857f2abcab56667 Mon Sep 17 00:00:00 2001
From: Zdenek Kabelac <zkabelac@redhat.com>
Date: Thu, 16 Apr 2026 01:59:10 +0200
Subject: [PATCH 155/211] pvck: fix buffer overflow, integer truncation, and
type mismatches
- _chars_to_hexstr: memcpy used hardcoded 256 instead of max parameter
- _backup_file_to_raw_metadata: back_size * 2 truncated uint64_t to uint32_t
- _dump_backup_to_raw, _read_metadata_file: read() rv was int, compared
via (int) cast against uint64_t sizes losing high bits
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 60fa392c72d7aa299a1488506608c619cac3a362)
---
tools/pvck.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tools/pvck.c b/tools/pvck.c
index 3be469562..325590f11 100644
--- a/tools/pvck.c
+++ b/tools/pvck.c
@@ -123,7 +123,7 @@ static char *_chars_to_hexstr(const void *in, void *out, int num, int max, const
i++;
}
- memcpy(out, tmp, 256);
+ memcpy(out, tmp, max);
free(tmp);
@@ -2696,7 +2696,12 @@ static int _backup_file_to_raw_metadata(char *back_buf, uint64_t back_size,
uint32_t text_pos, pre_len = 0, back_pos, text_max;
int len, len2, vgnamelen;
- text_max = back_size * 2;
+ if (back_size > UINT32_MAX / 2) {
+ log_error("Backup file too large.");
+ return 0;
+ }
+
+ text_max = (uint32_t)(back_size * 2);
if (!(text_buf = zalloc(text_max)))
return_0;
@@ -2799,7 +2804,8 @@ static int _dump_backup_to_raw(struct cmd_context *cmd, struct settings *set)
struct stat sb;
char *back_buf, *text_buf;
uint64_t back_size, text_size;
- int fd, rv, ret;
+ ssize_t rv;
+ int fd, ret;
if (arg_is_set(cmd, file_ARG)) {
if (!(tofile = arg_str_value(cmd, file_ARG, NULL)))
@@ -2830,7 +2836,7 @@ static int _dump_backup_to_raw(struct cmd_context *cmd, struct settings *set)
goto fail_close;
rv = read(fd, back_buf, back_size);
- if (rv != (int)back_size) {
+ if (rv != (ssize_t)back_size) {
log_error("Cannot read file: %s", input);
free(back_buf);
goto fail_close;
@@ -2946,7 +2952,8 @@ static int _read_metadata_file(struct cmd_context *cmd, struct metadata_file *mf
char *text_buf;
uint64_t text_size;
uint32_t text_crc;
- int fd, rv;
+ ssize_t rv;
+ int fd;
if ((fd = open(mf->filename, O_RDONLY)) < 0) {
log_error("Cannot open file: %s", mf->filename);
@@ -2967,7 +2974,7 @@ static int _read_metadata_file(struct cmd_context *cmd, struct metadata_file *mf
goto_out;
rv = read(fd, text_buf, text_size);
- if (rv != (int)text_size) {
+ if (rv != (ssize_t)text_size) {
log_error("Cannot read file: %s", mf->filename);
free(text_buf);
goto out;
--
2.54.0
Reference in New Issue View Git Blame Copy Permalink