7a4d6633db
- compiler warnings - diag_nvme: call_home command fails on nvmf drive - rtas_errd: Fix core dump with large filename passed to -f option Resolves: RHEL-55398
90 lines
3.2 KiB
Diff
90 lines
3.2 KiB
Diff
commit 357923dafda766429acbe68470c3bd6028d5ebf5
|
|
Author: Sathvika Vasireddy <sv@linux.ibm.com>
|
|
Date: Sun May 5 02:48:25 2024 -0400
|
|
|
|
rtas_errd: Fix core dump with large filename passed to -f option
|
|
|
|
When a filename passed to rtas_errd's -f option is excessively long,
|
|
it causes a stack buffer overflow in the _log_msg() function, leading
|
|
to stack smashing.
|
|
|
|
The _log_msg() function, utilized by log_msg(), operates with a buffer
|
|
limited to 4096 characters. Additional space is consumed by _dbg() and
|
|
re-formatting in _log_msg(), increasing the risk of buffer overflow.
|
|
|
|
To address this, in case of an error, if the filename exceeds the
|
|
length of 2048 characters, truncate it and log a message indicating the
|
|
truncation. Use 2048 characters as limit for filename length to allow
|
|
space for further modifications.
|
|
|
|
Additionally, add a check when processing the -f option to ensure that
|
|
the length of the specified filename does not exceed 4096 characters.
|
|
|
|
Reported-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
|
|
Closes: https://github.com/power-ras/ppc64-diag/issues/31
|
|
Signed-off-by: Sathvika Vasireddy <sv@linux.ibm.com>
|
|
Tested-by: R Nageswara Sastry<rnsastry@linux.ibm.com>
|
|
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
|
|
|
|
diff --git a/rtas_errd/files.c b/rtas_errd/files.c
|
|
index 4be75c6..3750bdc 100644
|
|
--- a/rtas_errd/files.c
|
|
+++ b/rtas_errd/files.c
|
|
@@ -284,10 +284,27 @@ init_files(void)
|
|
proc_error_log_fd = open(proc_error_log2, O_RDONLY);
|
|
|
|
if (proc_error_log_fd < 0) {
|
|
- log_msg(NULL, "Could not open error log file at either %s or "
|
|
- "%s, %s\nThe rtas_errd daemon cannot continue and will "
|
|
- "exit", proc_error_log1, proc_error_log2,
|
|
- strerror(errno));
|
|
+
|
|
+ if (strlen(proc_error_log1) <= 2048) {
|
|
+ log_msg(NULL, "Could not open error log file at either %s or "
|
|
+ "%s, %s\nThe rtas_errd daemon cannot continue and will "
|
|
+ "exit", proc_error_log1, proc_error_log2,
|
|
+ strerror(errno));
|
|
+ } else {
|
|
+ /* If the filename is too long, truncate it */
|
|
+ char truncated_filename[2048];
|
|
+
|
|
+ strncpy(truncated_filename, proc_error_log1,
|
|
+ sizeof(truncated_filename) - 1);
|
|
+ truncated_filename[sizeof(truncated_filename) - 1] = '\0';
|
|
+
|
|
+ log_msg(NULL, "Truncating the filename since it is too long "
|
|
+ "(%d characters)", strlen(proc_error_log1));
|
|
+ log_msg(NULL, "Could not open error log file at either %s or "
|
|
+ "%s, %s\nThe rtas_errd daemon cannot continue and will "
|
|
+ "exit", truncated_filename, proc_error_log2,
|
|
+ strerror(errno));
|
|
+ }
|
|
return -1;
|
|
}
|
|
|
|
diff --git a/rtas_errd/rtas_errd.c b/rtas_errd/rtas_errd.c
|
|
index 10c422c..f6c6a4a 100644
|
|
--- a/rtas_errd/rtas_errd.c
|
|
+++ b/rtas_errd/rtas_errd.c
|
|
@@ -30,6 +30,7 @@
|
|
#include <sys/stat.h>
|
|
#include <sys/wait.h>
|
|
#include <librtas.h>
|
|
+#include <limits.h>
|
|
|
|
#include "rtas_errd.h"
|
|
#include "platform.h"
|
|
@@ -474,6 +475,12 @@ main(int argc, char *argv[])
|
|
|
|
f_flag++;
|
|
proc_error_log1 = optarg;
|
|
+ if (strlen(proc_error_log1) > PATH_MAX) {
|
|
+ fprintf(stderr, "The specified file path %s exceeds"
|
|
+ " the maximum supported file length of 4096 characters.\n",
|
|
+ proc_error_log1);
|
|
+ goto error_out;
|
|
+ }
|
|
proc_error_log2 = NULL;
|
|
break;
|
|
|