[CRIU] [PATCH 1/6] compel/infect: fix out-of-bounds parasite memcpy()

[Andrey Ryabinin]

From: Dmitry Safonov <dsafonov at virtuozzo.com>

We need to copy only parasite, do copy page-aligned size,
which will copy part of CRIU binary, that follows parasite
blob. That will cross red-zones and fire asan error.

Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 compel/src/lib/infect.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/compel/src/lib/infect.c b/compel/src/lib/infect.c
index b8997a4..7e1da8f 100644
--- a/compel/src/lib/infect.c
+++ b/compel/src/lib/infect.c
@@ -858,7 +858,7 @@ static inline unsigned long total_pie_size(size_t blob_size, size_t nr_gp)
 int compel_infect(struct parasite_ctl *ctl, unsigned long nr_threads, unsigned long args_size)
 {
 	int ret;
-	unsigned long p, map_exchange_size, pie_size, parasite_size = 0;
+	unsigned long p, map_exchange_size, parasite_size = 0;
 
 	if (ctl->pblob.parasite_type != COMPEL_BLOB_CHEADER)
 		goto err;
@@ -876,7 +876,7 @@ int compel_infect(struct parasite_ctl *ctl, unsigned long nr_threads, unsigned l
 	 * without using ptrace at all.
 	 */
 
-	pie_size = parasite_size = total_pie_size(ctl->pblob.hdr.bsize, ctl->pblob.hdr.nr_gotpcrel);
+	parasite_size = total_pie_size(ctl->pblob.hdr.bsize, ctl->pblob.hdr.nr_gotpcrel);
 
 	ctl->args_size = round_up(args_size, PAGE_SIZE);
 	parasite_size += ctl->args_size;
@@ -896,7 +896,7 @@ int compel_infect(struct parasite_ctl *ctl, unsigned long nr_threads, unsigned l
 	ctl->addr_cmd = ctl->local_map + ctl->pblob.hdr.addr_cmd_off;
 	ctl->addr_args = ctl->local_map + ctl->pblob.hdr.addr_arg_off;
 
-	memcpy(ctl->local_map, ctl->pblob.hdr.mem, pie_size);
+	memcpy(ctl->local_map, ctl->pblob.hdr.mem, ctl->pblob.hdr.bsize);
 	if (ctl->pblob.hdr.nr_relocs)
 		compel_relocs_apply(ctl->local_map, ctl->remote_map, ctl->pblob.hdr.bsize,
 				    ctl->pblob.hdr.relocs, ctl->pblob.hdr.nr_relocs);
-- 
2.10.2