mdadm/0086-Fix-NULL-dereference-in-super_by_fd.patch

From f1f3ef7d2de5e3a726c27b9f9bb20e270a100dab Mon Sep 17 00:00:00 2001
From: Li Xiao Keng <lixiaokeng@huawei.com>
Date: Mon, 27 Feb 2023 11:12:07 +0800
Subject: [PATCH 086/125] Fix NULL dereference in super_by_fd

When we create 100 partitions (major is 259 not 254) in a raid device,
mdadm may coredump:

Core was generated by `/usr/sbin/mdadm --detail --export /dev/md1p7'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strlen_avx2_rtm () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
74		VPCMPEQ	(%rdi), %ymm0, %ymm1
(gdb) bt
#0  __strlen_avx2_rtm () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00007fbb9a7e4139 in __strcpy_chk (dest=dest@entry=0x55d55d6a13ac "", src=0x0, destlen=destlen@entry=32) at strcpy_chk.c:28
#2  0x000055d55ba1766d in strcpy (__src=<optimized out>, __dest=0x55d55d6a13ac "") at /usr/include/bits/string_fortified.h:79
#3  super_by_fd (fd=fd@entry=3, subarrayp=subarrayp@entry=0x7fff44dfcc48) at util.c:1289
#4  0x000055d55ba273a6 in Detail (dev=0x7fff44dfef0b "/dev/md1p7", c=0x7fff44dfe440) at Detail.c:101
#5  0x000055d55ba0de61 in misc_list (c=<optimized out>, ss=<optimized out>, dump_directory=<optimized out>, ident=<optimized out>, devlist=<optimized out>) at mdadm.c:1959
#6  main (argc=<optimized out>, argv=<optimized out>) at mdadm.c:1629

The direct cause is fd2devnm returning NULL, so add a check.

Signed-off-by: Li Xiao Keng <lixiaokeng@huawei.com>
Signed-off-by: Wu Guang Hao <wuguanghao3@huawei.com>
Acked-by: Coly Li <colyli@suse.de>
Acked-by: Coly Li <colyli@suse.de <mailto:colyli@suse.de>>
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
---
 mapfile.c | 4 ++++
 util.c    | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/mapfile.c b/mapfile.c
index 6b2207dd..ac351768 100644
--- a/mapfile.c
+++ b/mapfile.c
@@ -292,6 +292,10 @@ struct map_ent *map_by_uuid(struct map_ent **map, int uuid[4])
 struct map_ent *map_by_devnm(struct map_ent **map, char *devnm)
 {
 	struct map_ent *mp;
+
+	if (!devnm)
+		return NULL;
+
 	if (!*map)
 		map_read(map);
 
diff --git a/util.c b/util.c
index 9cd89fa4..8c7f3fd5 100644
--- a/util.c
+++ b/util.c
@@ -1160,6 +1160,11 @@ struct supertype *super_by_fd(int fd, char **subarrayp)
 	int i;
 	char *subarray = NULL;
 	char container[32] = "";
+	char *devnm = NULL;
+
+	devnm = fd2devnm(fd);
+	if (!devnm)
+		return NULL;
 
 	sra = sysfs_read(fd, NULL, GET_VERSION);
 
@@ -1205,7 +1210,7 @@ struct supertype *super_by_fd(int fd, char **subarrayp)
 		if (subarrayp)
 			*subarrayp = subarray;
 		strcpy(st->container_devnm, container);
-		strcpy(st->devnm, fd2devnm(fd));
+		strncpy(st->devnm, devnm, MD_NAME_MAX - 1);
 	} else
 		free(subarray);
 
-- 
2.38.1