From patchwork Mon Aug 13 20:31:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Keith Busch X-Patchwork-Id: 10564791 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 93C601057 for ; Mon, 13 Aug 2018 20:31:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 84637297DD for ; Mon, 13 Aug 2018 20:31:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76799297F2; Mon, 13 Aug 2018 20:31:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 21851297DD for ; Mon, 13 Aug 2018 20:31:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 1187C210EE4DD; Mon, 13 Aug 2018 13:31:37 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.24; helo=mga09.intel.com; envelope-from=keith.busch@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EFA85210E12BF for ; Mon, 13 Aug 2018 13:31:35 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Aug 2018 13:31:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,234,1531810800"; d="scan'208";a="224341922" Received: from unknown (HELO localhost.lm.intel.com) ([10.232.112.44]) by orsmga004.jf.intel.com with ESMTP; 13 Aug 2018 13:31:11 -0700 From: Keith Busch To: Vishal Verma , Dave Jiang , linux-nvdimm@lists.01.org Subject: [ndctl PATCH] ndctl: Work around kernel memory corruption Date: Mon, 13 Aug 2018 14:31:53 -0600 Message-Id: <20180813203153.562-1-keith.busch@intel.com> X-Mailer: git-send-email 2.13.6 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling") contained an incorrect ars status output size calculation and may overrun the buffer provided by 4 bytes. This patch adds 4 bytes to the buffer the user space allocates so that the kernel's overrun doesn't corrupt the application's heap. See kernel patch for more details: https://patchwork.kernel.org/patch/10563103/ Signed-off-by: Keith Busch Reviewed-by: Dave Jiang --- ndctl/lib/ars.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c index c78e3bf..bd75131 100644 --- a/ndctl/lib/ars.c +++ b/ndctl/lib/ars.c @@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar } size = sizeof(*cmd) + ars_cap_cmd->max_ars_out; - cmd = calloc(1, size); + + /* + * Older kernels have a bug that miscalculates the output length of the + * ars status and will overrun the provided buffer by 4 bytes, + * corrupting the memory. Add an additional 4 bytes in the allocation + * size to prevent that corruption. See kernel patch for more details: + * + * https://patchwork.kernel.org/patch/10563103/ + */ + cmd = calloc(1, size + 4); if (!cmd) return NULL;