From 7f960c3bd050e76f8bf0a8a0c8fbdcbaa565fc78 Mon Sep 17 00:00:00 2001 From: Blazej Kucman Date: Fri, 22 Nov 2024 11:01:04 +0100 Subject: [PATCH 1/1] platform-intel: fix buffer overflow mdadm -C /dev/md/imsm0 -e imsm -n 2 /dev/nvme5n1 /dev/nvme4n1 -R mdadm -C /dev/md/r0d2 -l 0 -n 2 /dev/nvme5n1 /dev/nvme4n1 -R *** buffer overflow detected ***: terminated Aborted (core dumped) Issue is related to D_FORTIFY_SOURCE=3 flag and depends on environment, especially compiler version. In function active_arrays_by_format length of path buffer is calculated dynamically based on parameters, while PATH_MAX is used in snprintf, this is my lead to buffer overflow. It is fixed by change dynamic length calculation, to use define PATH_MAX for path length. Signed-off-by: Blazej Kucman --- super-intel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/super-intel.c b/super-intel.c index 87026f5a0e80..9c464945d09c 100644 --- a/super-intel.c +++ b/super-intel.c @@ -7055,7 +7055,8 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist, int fd = -1; while (dev && !is_fd_valid(fd)) { - char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1); + char path[PATH_MAX]; + num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name); if (num > 0) fd = open(path, O_RDONLY, 0); @@ -7063,7 +7064,6 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist, pr_vrb("Cannot open %s: %s\n", dev->name, strerror(errno)); } - free(path); dev = dev->next; } found = 0; -- 2.32.0 (Apple Git-132)