rpcdebug: avoid buffer underflow (RHEL-7931)

blkmapd: fix coredump in bl_add_disk (RHEL-7941)
commit c1c35487aba2cec828d9b8a1be9043000beadea5 Author: Lixiaokeng <lixiaokeng@huawei.com> Date: Mon Oct 24 13:00:50 2022 -0400 blkmapd: fix coredump in bl_add_disk Signed-off-by: Steve Dickson <steved@redhat.com> Resolves: RHEL-7941
2024-02-07 03:22:40 +00:00 · 2024-02-05 12:24:18 -05:00
4 changed files with 119 additions and 1 deletions
--- a/.nfs-utils.metadata
+++ b/.nfs-utils.metadata
@ -0,0 +1 @@
+1b097d511c85f95671619f51b37abd75d56ea777 nfs-utils-2.5.4.tar.xz
--- a/nfs-utils-2.5.4-blkmapd-double-free.patch
+++ b/nfs-utils-2.5.4-blkmapd-double-free.patch
@ -0,0 +1,89 @@
+commit c1c35487aba2cec828d9b8a1be9043000beadea5
+Author: Lixiaokeng <lixiaokeng@huawei.com>
+Date:   Mon Oct 24 13:00:50 2022 -0400
+
+    blkmapd: fix coredump in bl_add_disk
+    
+    The serial->data is not malloced separately (just part of
+    the serial), so it can't be freed. The bl_serial has its
+    own free function. Use it.
+    
+    Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
+    Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/utils/blkmapd/device-discovery.c b/utils/blkmapd/device-discovery.c
+index 49935c2e..bd890598 100644
+--- a/utils/blkmapd/device-discovery.c
+++ b/utils/blkmapd/device-discovery.c
+@@ -187,10 +187,7 @@ static void bl_add_disk(char *filepath)
+ 	}
+ 
+ 	if (disk && diskpath) {
+-		if (serial) {
+-			free(serial->data);
+-			free(serial);
+-		}
+		bl_free_scsi_string(serial);
+ 		return;
+ 	}
+ 
+@@ -228,10 +225,7 @@ static void bl_add_disk(char *filepath)
+ 			disk->size = size;
+ 			disk->valid_path = path;
+ 		}
+-		if (serial) {
+-			free(serial->data);
+-			free(serial);
+-		}
+		bl_free_scsi_string(serial);
+ 	}
+ 	return;
+ 
+@@ -241,10 +235,7 @@ static void bl_add_disk(char *filepath)
+ 			free(path->full_path);
+ 		free(path);
+ 	}
+-	if (serial) {
+-		free(serial->data);
+-		free(serial);
+-	}
+	bl_free_scsi_string(serial);
+ 	return;
+ }
+ 
+diff --git a/utils/blkmapd/device-discovery.h b/utils/blkmapd/device-discovery.h
+index a86eed99..462aa943 100644
+--- a/utils/blkmapd/device-discovery.h
+++ b/utils/blkmapd/device-discovery.h
+@@ -151,6 +151,8 @@ uint64_t process_deviceinfo(const char *dev_addr_buf,
+ 
+ extern ssize_t atomicio(ssize_t(*f) (int, void *, size_t),
+ 			int fd, void *_s, size_t n);
+extern struct bl_serial *bl_create_scsi_string(int len, const char *bytes);
+extern void bl_free_scsi_string(struct bl_serial *str);
+ extern struct bl_serial *bldev_read_serial(int fd, const char *filename);
+ extern enum bl_path_state_e bldev_read_ap_state(int fd);
+ extern int bl_discover_devices(void);
+diff --git a/utils/blkmapd/device-inq.c b/utils/blkmapd/device-inq.c
+index c7952c3e..9e5749ef 100644
+--- a/utils/blkmapd/device-inq.c
+++ b/utils/blkmapd/device-inq.c
+@@ -53,7 +53,7 @@
+ #define DEF_ALLOC_LEN	255
+ #define MX_ALLOC_LEN	(0xc000 + 0x80)
+ 
+-static struct bl_serial *bl_create_scsi_string(int len, const char *bytes)
+struct bl_serial *bl_create_scsi_string(int len, const char *bytes)
+ {
+ 	struct bl_serial *s;
+ 
+@@ -66,7 +66,7 @@ static struct bl_serial *bl_create_scsi_string(int len, const char *bytes)
+ 	return s;
+ }
+ 
+-static void bl_free_scsi_string(struct bl_serial *str)
+void bl_free_scsi_string(struct bl_serial *str)
+ {
+ 	if (str)
+ 		free(str);
--- a/nfs-utils-2.5.4-rpcdebug-check-read-return.patch
+++ b/nfs-utils-2.5.4-rpcdebug-check-read-return.patch
@ -0,0 +1,24 @@
+commit a746c35822e557766d1871ec976490a71e6962d9
+Author: Zhi Li <yieli@redhat.com>
+Date:   Wed Apr 5 12:08:10 2023 -0400
+
+    rpcdebug: avoid buffer underflow if read() returns 0
+    
+    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2176740
+    
+    Signed-off-by: Zhi Li <yieli@redhat.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/tools/rpcdebug/rpcdebug.c b/tools/rpcdebug/rpcdebug.c
+index 68206cc5..ec05179e 100644
+--- a/tools/rpcdebug/rpcdebug.c
+++ b/tools/rpcdebug/rpcdebug.c
+@@ -257,7 +257,7 @@ get_flags(char *module)
+ 		perror(filename);
+ 		exit(1);
+ 	}
+-	if ((len = read(sysfd, buffer, sizeof(buffer))) < 0) {
+	if ((len = read(sysfd, buffer, sizeof(buffer))) <= 0) {
+ 		perror("read");
+ 		exit(1);
+ 	}
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@ -56,6 +56,8 @@ Patch020: nfs-utils-2.5.4-gssd-bad-integ-error-support.patch
 Patch021: nfs-utils-2.5.4-mount-mountconf-typo.patch
 Patch022: nfs-utils-2.5.4-support-for-rpc-with-tls.patch
 Patch023: nfs-utils-2.5.4-fix-typos-in-messages.patch
+Patch024: nfs-utils-2.5.4-blkmapd-double-free.patch
+Patch025: nfs-utils-2.5.4-rpcdebug-check-read-return.patch

 Patch100: nfs-utils-1.2.1-statdpath-man.patch
 Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@ -497,8 +499,10 @@ fi
 %{_mandir}/*/nfsiostat.8.gz

 %changelog
-* Mon Feb  5 2024 Steve Dickson <steved@redhat.com> 2.5.4-23
+* Tus Feb  6 2024 Steve Dickson <steved@redhat.com> 2.5.4-23
 - Typos and documentation fixes (RHEL-22654)
+- blkmapd: fix coredump in bl_add_disk (RHEL-7941)
+- rpcdebug: avoid buffer underflow (RHEL-7931)

 * Thu Feb  1 2024 Steve Dickson <steved@redhat.com> 2.5.4-22
 - nfsmount.conf: Fix typo of the attribute name (RHEL-7904)
				`@ -0,0 +1 @@`
				`1b097d511c85f95671619f51b37abd75d56ea777 nfs-utils-2.5.4.tar.xz`