Project

General

Profile

Actions
Copy link

Bug #9559

closed

?off-by-one vulnerability?ceph-0.80.5/src/common/fd.cc dump_open_fds() function

Added by qinghao tang over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

ceph-0.80.5/src/common/fd.cc dump_open_fds() function allows attackers to cause buffer overflow via vectors related to symbol link.

detail:
void dump_open_fds(CephContext *cct) {
...

char path[PATH_MAX];
        snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
        char target[PATH_MAX];
        ssize_t r = readlink(path, target, sizeof(target));
        if (r < 0) {
          r = -errno;
          lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
          continue;
        }
                //target[PATH_MAX] = 0; buffer overflow
        target[r] = 0;
        ...
    }

patch:

--- fd.cc.old 2014-09-22 14:34:54.390003831 0800
++ fd.cc 2014-09-22 14:35:11.999003831 0800
@ -41,7 +41,7 @
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
- ssize_t r = readlink(path, target, sizeof(target));
 ssize_t r = readlink(path, target, sizeof(target)-1);
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;

Actions
Copy link
 #1

Updated by qinghao tang over 9 years ago

ceph-0.80.5/src/common/fd.cc dump_open_fds() function allows attackers to cause buffer overflow via vectors related to symbol link.

detail:

void dump_open_fds(CephContext *cct) {
...

char path[PATH_MAX];
    snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
    char target[PATH_MAX];
    ssize_t r = readlink(path, target, sizeof(target));
    if (r < 0) {
      r = -errno;
      lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
      continue;
    }
    //target[PATH_MAX] = 0; buffer overflow
    target[r] = 0;
    ...
}

patch:

--- fd.cc.old 2014-09-22 14:34:54.390003831 0800
++ fd.cc 2014-09-22 14:35:11.999003831 0800
@ -41,7 +41,7 @
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
- ssize_t r = readlink(path, target, sizeof(target));
 ssize_t r = readlink(path, target, sizeof(target)-1);
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;

Actions
Copy link
 #2

Updated by Adam Crume over 9 years ago

This was fixed in version 0.83 in commit 046c9769fc4eaffc1dd4a21b61c1c5696d537def, although I'm sure it could be backported if necessary.

Actions
Copy link
 #3

Updated by qinghao tang over 9 years ago

please give me a cve id ,thanks

Actions
Copy link
 #4

Updated by Samuel Just over 9 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF