Bug #9559
closed?off-by-one vulnerability?ceph-0.80.5/src/common/fd.cc dump_open_fds() function
0%
Description
ceph-0.80.5/src/common/fd.cc dump_open_fds() function allows attackers to cause buffer overflow via vectors related to symbol link.
detail:
void dump_open_fds(CephContext *cct)
{
...
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
ssize_t r = readlink(path, target, sizeof(target));
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
continue;
}
//target[PATH_MAX] = 0; buffer overflow
target[r] = 0;
...
}
patch:
--- fd.cc.old 2014-09-22 14:34:54.390003831 0800
++ fd.cc 2014-09-22 14:35:11.999003831 0800@ -41,7 +41,7
@
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
- ssize_t r = readlink(path, target, sizeof(target));
ssize_t r = readlink(path, target, sizeof(target)-1);
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
Updated by qinghao tang over 9 years ago
ceph-0.80.5/src/common/fd.cc dump_open_fds() function allows attackers to cause buffer overflow via vectors related to symbol link.
detail:
void dump_open_fds(CephContext *cct)
{
...
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
ssize_t r = readlink(path, target, sizeof(target));
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
continue;
}
//target[PATH_MAX] = 0; buffer overflow
target[r] = 0;
...
}
patch:
--- fd.cc.old 2014-09-22 14:34:54.390003831 0800
++ fd.cc 2014-09-22 14:35:11.999003831 0800@ -41,7 +41,7
@
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
- ssize_t r = readlink(path, target, sizeof(target));
ssize_t r = readlink(path, target, sizeof(target)-1);
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
Updated by Adam Crume over 9 years ago
This was fixed in version 0.83 in commit 046c9769fc4eaffc1dd4a21b61c1c5696d537def, although I'm sure it could be backported if necessary.