Actions
Bug #9559
closed?off-by-one vulnerability?ceph-0.80.5/src/common/fd.cc dump_open_fds() function
Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
ceph-0.80.5/src/common/fd.cc dump_open_fds() function allows attackers to cause buffer overflow via vectors related to symbol link.
detail:
void dump_open_fds(CephContext *cct)
{
...
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
ssize_t r = readlink(path, target, sizeof(target));
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
continue;
}
//target[PATH_MAX] = 0; buffer overflow
target[r] = 0;
...
}
patch:
--- fd.cc.old 2014-09-22 14:34:54.390003831 0800
++ fd.cc 2014-09-22 14:35:11.999003831 0800@ -41,7 +41,7
@
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
char target[PATH_MAX];
- ssize_t r = readlink(path, target, sizeof(target));
ssize_t r = readlink(path, target, sizeof(target)-1);
if (r < 0) {
r = -errno;
lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;
Actions