Fix a couple of bugs found by covscan

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
This commit is contained in:
Michal Schmidt 2023-02-02 12:01:49 +01:00
parent d24472bc16
commit 514221a914
6 changed files with 233 additions and 5 deletions

View File

@ -0,0 +1,85 @@
From 5075b961a29ff9c418e1fefe78432e95dd0a5fcc Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Wed, 1 Feb 2023 22:41:06 +0100
Subject: [PATCH 1/3] util: fix overflow in remap_node_name()
The function remap_node_name() assumes the parameter 'nodedesc' is at
least IB_SMP_DATA_SIZE + 1 (i.e. 65) bytes long, because it passes it to
clean_nodedesc() that writes a nul-terminator to it at offset
IB_SMP_DATA_SIZE. Callers in infiniband-diags/saquery.c pass
a (struct ib_node_desc_t).description as the argument, which is only
IB_NODE_DESCRIPTION_SIZE (i.e. 64) bytes long. This is an overflow.
An odd thing about remap_node_name() is that it may (but does not
always) rewrite the nodedesc in-place. Callers do not appear to
appreciate this behavior. Most of them are various print_* and dump_*
functions where rewriting the input makes no sense. Some callers make a
local copy of the nodedesc first, possibly to protect the original.
One caller (infiniband-diags/saquery.c:print_node_records()) checks if
either the original description or the remapped one matches a given
requested_name - so it looks like it prefers the original to be
not rewritten.
Let's make remap_node_name() a bit safer and more convenient to use.
Allocate a fixed-sized copy first. Then use strncpy to copy from
'nodedesc', never reading more than IB_SMP_DATA_SIZE (64) bytes.
Apply clean_nodedesc() on the correctly-sized copy. This solves the
overflow bug. Also, the in-place rewrite of 'nodedesc' is gone and it
can become a (const char*).
The overflow was found by a static checker (covscan).
Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
---
util/node_name_map.c | 12 +++++++++---
util/node_name_map.h | 3 +--
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/util/node_name_map.c b/util/node_name_map.c
index 30b73eb1448e..511cb92ef19c 100644
--- a/util/node_name_map.c
+++ b/util/node_name_map.c
@@ -95,7 +95,7 @@ void close_node_name_map(nn_map_t * map)
free(map);
}
-char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
+char *remap_node_name(nn_map_t * map, uint64_t target_guid, const char *nodedesc)
{
char *rc = NULL;
name_map_item_t *item = NULL;
@@ -108,8 +108,14 @@ char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
rc = strdup(item->name);
done:
- if (rc == NULL)
- rc = strdup(clean_nodedesc(nodedesc));
+ if (rc == NULL) {
+ rc = malloc(IB_SMP_DATA_SIZE + 1);
+ if (rc) {
+ strncpy(rc, nodedesc, IB_SMP_DATA_SIZE);
+ rc[IB_SMP_DATA_SIZE] = '\0';
+ clean_nodedesc(rc);
+ }
+ }
return (rc);
}
diff --git a/util/node_name_map.h b/util/node_name_map.h
index e78d274b116e..d83d672782c4 100644
--- a/util/node_name_map.h
+++ b/util/node_name_map.h
@@ -12,8 +12,7 @@ typedef struct nn_map nn_map_t;
nn_map_t *open_node_name_map(const char *node_name_map);
void close_node_name_map(nn_map_t *map);
-/* NOTE: parameter "nodedesc" may be modified here. */
-char *remap_node_name(nn_map_t *map, uint64_t target_guid, char *nodedesc);
+char *remap_node_name(nn_map_t *map, uint64_t target_guid, const char *nodedesc);
char *clean_nodedesc(char *nodedesc);
#endif
--
2.39.1

View File

@ -0,0 +1,95 @@
From d5723a0f69577fd3022024ca17c27e273a29695b Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Wed, 1 Feb 2023 22:41:16 +0100
Subject: [PATCH 2/3] infiniband-diags: drop unnecessary nodedesc local copies
Now that remap_node_name() never rewrites nodedesc in-place, some
copying can be avoided.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
---
infiniband-diags/dump_fts.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/infiniband-diags/dump_fts.c b/infiniband-diags/dump_fts.c
index ce6bfb9ecc33..acef9efe692d 100644
--- a/infiniband-diags/dump_fts.c
+++ b/infiniband-diags/dump_fts.c
@@ -109,7 +109,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
unsigned endl, struct ibmad_port *mad_port)
{
ib_portid_t *portid = &node->path_portid;
- char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
char str[512];
char *s;
uint64_t nodeguid;
@@ -119,7 +118,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
char *mapnd = NULL;
int n = 0;
- memcpy(nd, node->nodedesc, strlen(node->nodedesc));
nports = node->numports;
nodeguid = node->guid;
@@ -149,7 +147,7 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
endl = IB_MAX_MCAST_LID;
}
- mapnd = remap_node_name(node_name_map, nodeguid, nd);
+ mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc);
printf("Multicast mlids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64
" (%s):\n", startl, endl, portid2str(portid), nodeguid,
@@ -224,8 +222,6 @@ static int dump_lid(char *str, int str_len, int lid, int valid,
ibnd_fabric_t *fabric, int *last_port_lid,
int *base_port_lid, uint64_t *portguid)
{
- char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
-
ibnd_port_t *port = NULL;
char ntype[50], sguid[30];
@@ -276,14 +272,12 @@ static int dump_lid(char *str, int str_len, int lid, int valid,
baselid = port->base_lid;
lmc = port->lmc;
- memcpy(nd, port->node->nodedesc, strlen(port->node->nodedesc));
-
if (lmc > 0) {
*base_port_lid = baselid;
*last_port_lid = baselid + (1 << lmc) - 1;
}
- mapnd = remap_node_name(node_name_map, nodeguid, nd);
+ mapnd = remap_node_name(node_name_map, nodeguid, port->node->nodedesc);
rc = snprintf(str, str_len, ": (%s portguid %s: '%s')",
mad_dump_val(IB_NODE_TYPE_F, ntype, sizeof ntype,
@@ -302,7 +296,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
{
ib_portid_t * portid = &node->path_portid;
char lft[IB_SMP_DATA_SIZE] = { 0 };
- char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
char str[200];
uint64_t nodeguid;
int block, i, e, top;
@@ -315,7 +308,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
mad_decode_field(node->switchinfo, IB_SW_LINEAR_FDB_TOP_F, &top);
nodeguid = node->guid;
nports = node->numports;
- memcpy(nd, node->nodedesc, strlen(node->nodedesc));
if (!endl || endl > top)
endl = top;
@@ -326,7 +318,7 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
endl = IB_MAX_UCAST_LID;
}
- mapnd = remap_node_name(node_name_map, nodeguid, nd);
+ mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc);
printf("Unicast lids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64
" (%s):\n", startl, endl, portid2str(portid), nodeguid,
--
2.39.1

View File

@ -0,0 +1,38 @@
From 45fcc7ad41216a93bafb452f7d7a4507d52722cd Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Wed, 1 Feb 2023 23:30:52 +0100
Subject: [PATCH 3/3] libibnetdisc: fix printing a possibly non-NUL-terminated
string
Found by a static check (covscan).
Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
---
libibnetdisc/chassis.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libibnetdisc/chassis.c b/libibnetdisc/chassis.c
index a3ec1d82807c..bc1a8aff8acb 100644
--- a/libibnetdisc/chassis.c
+++ b/libibnetdisc/chassis.c
@@ -597,7 +597,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node)
int p = 0;
ibnd_port_t *port;
- char node_desc[IB_SMP_DATA_SIZE];
+ char node_desc[IB_SMP_DATA_SIZE + 1];
char *system_name;
char *system_type;
char *system_slot_name;
@@ -617,6 +617,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node)
*/
memcpy(node_desc, node->nodedesc, IB_SMP_DATA_SIZE);
+ node_desc[IB_SMP_DATA_SIZE] = '\0';
IBND_DEBUG("fill_mellanox_chassis_record: node_desc:%s \n",node_desc);
--
2.39.1

View File

@ -1,6 +1,6 @@
Name: rdma-core
Version: 44.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: RDMA core userspace libraries and daemons
# Almost everything is licensed under the OFA dual GPLv2, 2 Clause BSD license
@ -10,8 +10,12 @@ Summary: RDMA core userspace libraries and daemons
License: GPLv2 or BSD
Url: https://github.com/linux-rdma/rdma-core
Source: https://github.com/linux-rdma/rdma-core/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch1: 0001-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch
Patch2: udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch
# 0001-0003: https://github.com/linux-rdma/rdma-core/pull/1308
Patch1: 0001-util-fix-overflow-in-remap_node_name.patch
Patch2: 0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch
Patch3: 0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch
Patch9998: 9998-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch
Patch9999: 9999-udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch
# Do not build static libs by default.
%define with_static %{?_with_static: 1} %{?!_with_static: 0}
@ -273,11 +277,14 @@ easy, object-oriented access to IB verbs.
%prep
%setup -q
%if 0%{?fedora}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%if 0%{?fedora}
%patch9998 -p1
%endif
%if 0%{?rhel}
%patch2 -p1
%patch9999 -p1
%endif
%build
@ -663,6 +670,9 @@ fi
%endif
%changelog
* Thu Feb 02 2023 Michal Schmidt <mschmidt@redhat.com> - 44.0-2
- Fix a couple of bugs found by covscan.
* Tue Jan 31 2023 Michal Schmidt <mschmidt@redhat.com> - 44.0-1
- Rebase to upstream v44.0.