nvdimm.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* [ndctl PATCH] ndctl: Work around kernel memory corruption
@ 2018-08-13 20:31 Keith Busch
  2018-08-13 20:32 ` Dave Jiang
  0 siblings, 1 reply; 2+ messages in thread
From: Keith Busch @ 2018-08-13 20:31 UTC (permalink / raw)
  To: Vishal Verma, Dave Jiang, linux-nvdimm

Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden
ars_status output length handling") contained an incorrect ars status
output size calculation and may overrun the buffer provided by 4
bytes. This patch adds 4 bytes to the buffer the user space allocates
so that the kernel's overrun doesn't corrupt the application's heap.

See kernel patch for more details:

  https://patchwork.kernel.org/patch/10563103/

Signed-off-by: Keith Busch <keith.busch@intel.com>
---
 ndctl/lib/ars.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c
index c78e3bf..bd75131 100644
--- a/ndctl/lib/ars.c
+++ b/ndctl/lib/ars.c
@@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar
 	}
 
 	size = sizeof(*cmd) + ars_cap_cmd->max_ars_out;
-	cmd = calloc(1, size);
+
+	/*
+	 * Older kernels have a bug that miscalculates the output length of the
+	 * ars status and will overrun the provided buffer by 4 bytes,
+	 * corrupting the memory. Add an additional 4 bytes in the allocation
+	 * size to prevent that corruption. See kernel patch for more details:
+	 *
+	 *   https://patchwork.kernel.org/patch/10563103/
+	 */
+	cmd = calloc(1, size + 4);
 	if (!cmd)
 		return NULL;
 
-- 
2.14.4

_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ndctl PATCH] ndctl: Work around kernel memory corruption
  2018-08-13 20:31 [ndctl PATCH] ndctl: Work around kernel memory corruption Keith Busch
@ 2018-08-13 20:32 ` Dave Jiang
  0 siblings, 0 replies; 2+ messages in thread
From: Dave Jiang @ 2018-08-13 20:32 UTC (permalink / raw)
  To: Keith Busch, Vishal Verma, linux-nvdimm



On 08/13/2018 01:31 PM, Keith Busch wrote:
> Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden
> ars_status output length handling") contained an incorrect ars status
> output size calculation and may overrun the buffer provided by 4
> bytes. This patch adds 4 bytes to the buffer the user space allocates
> so that the kernel's overrun doesn't corrupt the application's heap.
> 
> See kernel patch for more details:
> 
>   https://patchwork.kernel.org/patch/10563103/
> 
> Signed-off-by: Keith Busch <keith.busch@intel.com>

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  ndctl/lib/ars.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c
> index c78e3bf..bd75131 100644
> --- a/ndctl/lib/ars.c
> +++ b/ndctl/lib/ars.c
> @@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar
>  	}
>  
>  	size = sizeof(*cmd) + ars_cap_cmd->max_ars_out;
> -	cmd = calloc(1, size);
> +
> +	/*
> +	 * Older kernels have a bug that miscalculates the output length of the
> +	 * ars status and will overrun the provided buffer by 4 bytes,
> +	 * corrupting the memory. Add an additional 4 bytes in the allocation
> +	 * size to prevent that corruption. See kernel patch for more details:
> +	 *
> +	 *   https://patchwork.kernel.org/patch/10563103/
> +	 */
> +	cmd = calloc(1, size + 4);
>  	if (!cmd)
>  		return NULL;
>  
> 
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-08-13 20:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-13 20:31 [ndctl PATCH] ndctl: Work around kernel memory corruption Keith Busch
2018-08-13 20:32 ` Dave Jiang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).