[CRIU] [PATCH] sk-netlink: fix overflow
Libo Chen
clbchenlibo.chen at huawei.com
Thu Apr 25 01:45:16 EDT 2013
break running./crtools check :
*** buffer overflow detected ***: ./crtools terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fdaacb3e82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fdaacb3d700]
./crtools[0x423d00]
./crtools[0x41d021]
./crtools[0x41d259]
./crtools[0x41e4b6]
./crtools[0x418f03]
./crtools[0x404988]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fdaaca5576d]
./crtools[0x404ad9]
======= Memory map: ========
00400000-00463000 r-xp 00000000 08:01 189158 /home/clb/crtools/crtools
00662000-00663000 r--p 00062000 08:01 189158 /home/clb/crtools/crtools
00663000-00671000 rw-p 00063000 08:01 189158 /home/clb/crtools/crtools
00671000-00677000 rw-p 00000000 00:00 0
01801000-01822000 rw-p 00000000 00:00 0 [heap]
7fdaac81e000-7fdaac833000 r-xp 00000000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaac833000-7fdaaca32000 ---p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca32000-7fdaaca33000 r--p 00014000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca33000-7fdaaca34000 rw-p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca34000-7fdaacbe9000 r-xp 00000000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacbe9000-7fdaacde8000 ---p 001b5000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacde8000-7fdaacdec000 r--p 001b4000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacdec000-7fdaacdee000 rw-p 001b8000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacdee000-7fdaacdf3000 rw-p 00000000 00:00 0
7fdaacdf3000-7fdaace03000 r-xp 00000000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaace03000-7fdaad002000 ---p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad002000-7fdaad003000 r--p 0000f000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad003000-7fdaad004000 rw-p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad004000-7fdaad01c000 r-xp 00000000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad01c000-7fdaad21b000 ---p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21b000-7fdaad21c000 r--p 00017000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21c000-7fdaad21d000 rw-p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21d000-7fdaad221000 rw-p 00000000 00:00 0
7fdaad221000-7fdaad243000 r-xp 00000000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
7fdaad437000-7fdaad43b000 rw-p 00000000 00:00 0
7fdaad440000-7fdaad443000 rw-p 00000000 00:00 0
7fdaad443000-7fdaad444000 r--p 00022000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
7fdaad444000-7fdaad446000 rw-p 00023000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
7fff9eb3c000-7fff9eb5d000 rw-p 00000000 00:00 0 [stack]
7fff9ebcf000-7fff9ebd1000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
I find this overflow by the phase: memcpy(sd->groups, groups, sd->gsize);
The reason is sd->gsize = 8 Byte, but sd->groups = xmalloc(sizeof(sd->gsize)) is exact 4 Byte.
Signed-off-by: Libo Chen <libo.chen at huawei.com>
Signed-off-by: Qiang Huang <h.huangqiang at huawei.com>
---
sk-netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sk-netlink.c b/sk-netlink.c
index dbfe8ca..68d38f8 100644
--- a/sk-netlink.c
+++ b/sk-netlink.c
@@ -51,7 +51,7 @@ int netlink_receive_one(struct nlmsghdr *hdr, void *arg)
sd->gsize = RTA_PAYLOAD(tb[NETLINK_DIAG_GROUPS]);
groups = RTA_DATA(tb[NETLINK_DIAG_GROUPS]);
- sd->groups = xmalloc(sizeof(sd->gsize));
+ sd->groups = xmalloc(sd->gsize);
if (!sd->groups) {
xfree(sd);
return -1;
--
1.7.10.4
_______________________________________________
Kernel.openeuler mailing list
Kernel.openeuler at huawei.com
http://rnd-openeuler.huawei.com/mailman/listinfo/kernel.openeuler
.
More information about the CRIU
mailing list