mdadm/0202-platform-intel-fix-buffer-overflow.patch

From 7f960c3bd050e76f8bf0a8a0c8fbdcbaa565fc78 Mon Sep 17 00:00:00 2001
From: Blazej Kucman <blazej.kucman@intel.com>
Date: Fri, 22 Nov 2024 11:01:04 +0100
Subject: [PATCH 1/1] platform-intel: fix buffer overflow

mdadm -C /dev/md/imsm0 -e imsm -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
mdadm -C /dev/md/r0d2 -l 0 -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
*** buffer overflow detected ***: terminated
Aborted (core dumped)

Issue is related to D_FORTIFY_SOURCE=3 flag and depends on environment,
especially compiler version. In function active_arrays_by_format length of
path buffer is calculated dynamically based on parameters, while PATH_MAX
is used in snprintf, this is my lead to buffer overflow.

It is fixed by change dynamic length calculation, to use define PATH_MAX
for path length.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 super-intel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/super-intel.c b/super-intel.c
index 87026f5a0e80..9c464945d09c 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -7055,7 +7055,8 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
 			int fd = -1;
 
 			while (dev && !is_fd_valid(fd)) {
-				char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1);
+				char path[PATH_MAX];
+
 				num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name);
 				if (num > 0)
 					fd = open(path, O_RDONLY, 0);
@@ -7063,7 +7064,6 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
 					pr_vrb("Cannot open %s: %s\n",
 					       dev->name, strerror(errno));
 				}
-				free(path);
 				dev = dev->next;
 			}
 			found = 0;
-- 
2.32.0 (Apple Git-132)
Fix two create commands problems Resolves: RHEL-69286, RHEL-68654 Signed-off-by: Xiao Ni <xni@redhat.com> 2024-12-04 06:49:44 +00:00			`From 7f960c3bd050e76f8bf0a8a0c8fbdcbaa565fc78 Mon Sep 17 00:00:00 2001`
			`From: Blazej Kucman <blazej.kucman@intel.com>`
			`Date: Fri, 22 Nov 2024 11:01:04 +0100`
			`Subject: [PATCH 1/1] platform-intel: fix buffer overflow`

			`mdadm -C /dev/md/imsm0 -e imsm -n 2 /dev/nvme5n1 /dev/nvme4n1 -R`
			`mdadm -C /dev/md/r0d2 -l 0 -n 2 /dev/nvme5n1 /dev/nvme4n1 -R`
			`* buffer overflow detected *: terminated`
			`Aborted (core dumped)`

			`Issue is related to D_FORTIFY_SOURCE=3 flag and depends on environment,`
			`especially compiler version. In function active_arrays_by_format length of`
			`path buffer is calculated dynamically based on parameters, while PATH_MAX`
			`is used in snprintf, this is my lead to buffer overflow.`

			`It is fixed by change dynamic length calculation, to use define PATH_MAX`
			`for path length.`

			`Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>`
			`---`
			`super-intel.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/super-intel.c b/super-intel.c`
			`index 87026f5a0e80..9c464945d09c 100644`
			`--- a/super-intel.c`
			`+++ b/super-intel.c`
			`@@ -7055,7 +7055,8 @@ active_arrays_by_format(char name, char hba, struct md_list **devlist,`
			`int fd = -1;`

			`while (dev && !is_fd_valid(fd)) {`
			`- char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1);`
			`+ char path[PATH_MAX];`
			`+`
			`num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name);`
			`if (num > 0)`
			`fd = open(path, O_RDONLY, 0);`
			`@@ -7063,7 +7064,6 @@ active_arrays_by_format(char name, char hba, struct md_list **devlist,`
			`pr_vrb("Cannot open %s: %s\n",`
			`dev->name, strerror(errno));`
			`}`
			`- free(path);`
			`dev = dev->next;`
			`}`
			`found = 0;`
			`--`
			`2.32.0 (Apple Git-132)`