From patchwork Fri Jun 3 17:33:44 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Milan Broz X-Patchwork-Id: 847932 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.3) with ESMTP id p53HXqjR012479 for ; Fri, 3 Jun 2011 17:33:52 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752175Ab1FCRdt (ORCPT ); Fri, 3 Jun 2011 13:33:49 -0400 Received: from mx1.redhat.com ([209.132.183.28]:20405 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751853Ab1FCRdt (ORCPT ); Fri, 3 Jun 2011 13:33:49 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p53HXmFJ025767 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 3 Jun 2011 13:33:48 -0400 Received: from tawny.mazyland.net (tawny.brq.redhat.com [10.34.26.53]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p53HXlsc002974; Fri, 3 Jun 2011 13:33:48 -0400 From: Milan Broz To: linux-btrfs@vger.kernel.org Cc: Milan Broz Subject: [PATCH] btrfs-progs: Avoid buffer overflow for device name Date: Fri, 3 Jun 2011 19:33:44 +0200 Message-Id: <1307122424-25026-1-git-send-email-mbroz@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Fri, 03 Jun 2011 17:33:52 +0000 (UTC) btrfs overwrites memory for too long device paramater try btrfs device scan $(awk 'BEGIN{$5090=OFS="x";print}') ... ** buffer overflow detected ***: btrfs terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f0ef2ea0607] /lib64/libc.so.6(+0xf6580)[0x7f0ef2e9e580] btrfs[0x402ec4] btrfs[0x401b48] /lib64/libc.so.6(__libc_start_main+0xed)[0x7f0ef2dc943d] btrfs[0x401df1] Patch just add obvious strncpy() checks to several users osf this paramater, probably still some path length check is needed to properly report error. See https://bugzilla.redhat.com/show_bug.cgi?id=710534 Signed-off-by: Milan Broz --- btrfs-vol.c | 2 +- btrfs_cmds.c | 14 +++++++------- btrfsctl.c | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/btrfs-vol.c b/btrfs-vol.c index 4ed799d..e06a54e 100644 --- a/btrfs-vol.c +++ b/btrfs-vol.c @@ -151,7 +151,7 @@ int main(int ac, char **av) } fd = dirfd(dirstream); if (device) - strcpy(args.name, device); + strncpy(args.name, device, sizeof(args.name)); else args.name[0] = '\0'; diff --git a/btrfs_cmds.c b/btrfs_cmds.c index 8031c58..6f5c634 100644 --- a/btrfs_cmds.c +++ b/btrfs_cmds.c @@ -375,7 +375,7 @@ int do_clone(int argc, char **argv) printf("Create a snapshot of '%s' in '%s/%s'\n", subvol, dstdir, newname); args.fd = fd; - strcpy(args.name, newname); + strncpy(args.name, newname, sizeof(args.name)); res = ioctl(fddst, BTRFS_IOC_SNAP_CREATE, &args); close(fd); @@ -436,7 +436,7 @@ int do_delete_subvolume(int argc, char **argv) } printf("Delete subvolume '%s/%s'\n", dname, vname); - strcpy(args.name, vname); + strncpy(args.name, vname, sizeof(args.name)); res = ioctl(fd, BTRFS_IOC_SNAP_DESTROY, &args); close(fd); @@ -490,7 +490,7 @@ int do_create_subvol(int argc, char **argv) } printf("Create subvolume '%s/%s'\n", dstdir, newname); - strcpy(args.name, newname); + strncpy(args.name, newname, sizeof(args.name)); res = ioctl(fddst, BTRFS_IOC_SUBVOL_CREATE, &args); close(fddst); @@ -553,7 +553,7 @@ int do_scan(int argc, char **argv) printf("Scanning for Btrfs filesystems in '%s'\n", argv[i]); - strcpy(args.name, argv[i]); + strncpy(args.name, argv[i], sizeof(args.name)); /* * FIXME: which are the error code returned by this ioctl ? * it seems that is impossible to understand if there no is @@ -593,7 +593,7 @@ int do_resize(int argc, char **argv) } printf("Resize '%s' of '%s'\n", path, amount); - strcpy(args.name, amount); + strncpy(args.name, amount, sizeof(args.name)); res = ioctl(fd, BTRFS_IOC_RESIZE, &args); close(fd); if( res < 0 ){ @@ -736,7 +736,7 @@ int do_add_volume(int nargs, char **args) } close(devfd); - strcpy(ioctl_args.name, args[i]); + strncpy(ioctl_args.name, args[i], sizeof(ioctl_args.name)); res = ioctl(fdmnt, BTRFS_IOC_ADD_DEV, &ioctl_args); if(res<0){ fprintf(stderr, "ERROR: error adding the device '%s'\n", args[i]); @@ -792,7 +792,7 @@ int do_remove_volume(int nargs, char **args) struct btrfs_ioctl_vol_args arg; int res; - strcpy(arg.name, args[i]); + strncpy(arg.name, args[i], sizeof(arg.name)); res = ioctl(fdmnt, BTRFS_IOC_RM_DEV, &arg); if(res<0){ fprintf(stderr, "ERROR: error removing the device '%s'\n", args[i]); diff --git a/btrfsctl.c b/btrfsctl.c index 92bdf39..29210f5 100644 --- a/btrfsctl.c +++ b/btrfsctl.c @@ -237,7 +237,7 @@ int main(int ac, char **av) } if (name) - strcpy(args.name, name); + strncpy(args.name, name, sizeof(args.name)); else args.name[0] = '\0';