[CRIU] [PATCH] sk-netlink: fix overflow
Andrew Vagin
avagin at parallels.com
Thu Apr 25 03:40:51 EDT 2013
Thanks.
Acked-by: Andrey Vagin <avagin at openvz.org>
On Thu, Apr 25, 2013 at 01:45:16PM +0800, Libo Chen wrote:
> break running./crtools check :
>
> *** buffer overflow detected ***: ./crtools terminated
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fdaacb3e82c]
> /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fdaacb3d700]
> ./crtools[0x423d00]
> ./crtools[0x41d021]
> ./crtools[0x41d259]
> ./crtools[0x41e4b6]
> ./crtools[0x418f03]
> ./crtools[0x404988]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fdaaca5576d]
> ./crtools[0x404ad9]
> ======= Memory map: ========
> 00400000-00463000 r-xp 00000000 08:01 189158 /home/clb/crtools/crtools
> 00662000-00663000 r--p 00062000 08:01 189158 /home/clb/crtools/crtools
> 00663000-00671000 rw-p 00063000 08:01 189158 /home/clb/crtools/crtools
> 00671000-00677000 rw-p 00000000 00:00 0
> 01801000-01822000 rw-p 00000000 00:00 0 [heap]
> 7fdaac81e000-7fdaac833000 r-xp 00000000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7fdaac833000-7fdaaca32000 ---p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7fdaaca32000-7fdaaca33000 r--p 00014000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7fdaaca33000-7fdaaca34000 rw-p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7fdaaca34000-7fdaacbe9000 r-xp 00000000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
> 7fdaacbe9000-7fdaacde8000 ---p 001b5000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
> 7fdaacde8000-7fdaacdec000 r--p 001b4000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
> 7fdaacdec000-7fdaacdee000 rw-p 001b8000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so
> 7fdaacdee000-7fdaacdf3000 rw-p 00000000 00:00 0
> 7fdaacdf3000-7fdaace03000 r-xp 00000000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
> 7fdaace03000-7fdaad002000 ---p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
> 7fdaad002000-7fdaad003000 r--p 0000f000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
> 7fdaad003000-7fdaad004000 rw-p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0
> 7fdaad004000-7fdaad01c000 r-xp 00000000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
> 7fdaad01c000-7fdaad21b000 ---p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
> 7fdaad21b000-7fdaad21c000 r--p 00017000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
> 7fdaad21c000-7fdaad21d000 rw-p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so
> 7fdaad21d000-7fdaad221000 rw-p 00000000 00:00 0
> 7fdaad221000-7fdaad243000 r-xp 00000000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
> 7fdaad437000-7fdaad43b000 rw-p 00000000 00:00 0
> 7fdaad440000-7fdaad443000 rw-p 00000000 00:00 0
> 7fdaad443000-7fdaad444000 r--p 00022000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
> 7fdaad444000-7fdaad446000 rw-p 00023000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so
> 7fff9eb3c000-7fff9eb5d000 rw-p 00000000 00:00 0 [stack]
> 7fff9ebcf000-7fff9ebd1000 r-xp 00000000 00:00 0 [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
>
>
> I find this overflow by the phase: memcpy(sd->groups, groups, sd->gsize);
> The reason is sd->gsize = 8 Byte, but sd->groups = xmalloc(sizeof(sd->gsize)) is exact 4 Byte.
>
> Signed-off-by: Libo Chen <libo.chen at huawei.com>
> Signed-off-by: Qiang Huang <h.huangqiang at huawei.com>
> ---
> sk-netlink.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sk-netlink.c b/sk-netlink.c
> index dbfe8ca..68d38f8 100644
> --- a/sk-netlink.c
> +++ b/sk-netlink.c
> @@ -51,7 +51,7 @@ int netlink_receive_one(struct nlmsghdr *hdr, void *arg)
> sd->gsize = RTA_PAYLOAD(tb[NETLINK_DIAG_GROUPS]);
> groups = RTA_DATA(tb[NETLINK_DIAG_GROUPS]);
>
> - sd->groups = xmalloc(sizeof(sd->gsize));
> + sd->groups = xmalloc(sd->gsize);
> if (!sd->groups) {
> xfree(sd);
> return -1;
> --
> 1.7.10.4
>
> _______________________________________________
> Kernel.openeuler mailing list
> Kernel.openeuler at huawei.com
> http://rnd-openeuler.huawei.com/mailman/listinfo/kernel.openeuler
>
> .
>
>
>
>
More information about the CRIU
mailing list