[BUG] Out of bound read of size 1 in __d_alloc function which further leads to __default_memcpy function

Sascha Hauer sha at pengutronix.de
Tue May 11 01:00:03 PDT 2021


On Mon, May 10, 2021 at 12:18:08PM +0200, Jules Maselbas wrote:
> Hi,
> 
> On Fri, May 07, 2021 at 12:58:30PM +0200, Sascha Hauer wrote:
> > Hi,
> > 
> > On Sun, Apr 18, 2021 at 01:10:10AM +0530, Neeraj Pal wrote:
> > > Hi,
> > > 
> > > I have found the Out of bound read issue of size 1 when argv[2] is "" in
> > > __d_alloc function fs/fs.c:1254 which further goes
> > > and crashes into  __default_memcpy call lib/string.c:562
> > > 
> > > Tested on:
> > > - barebox-2021.04.0
> > > - git commit af0f068a6edad45b033e772056ac0352e1ba3613
> > 
> > I can reproduce this here. Thanks for reporting it. I just sent out a
> > series fixing this issue, you are on Cc:
> I think this should also be fixed by the patch I've sent:
> (74946415a "fs: Fix link_path_walk to return -ENOENT on empty path")
> 
> This patch might not have fixed this exact case when running the nfs
> command. Have you been able to repoduce this issue with this patch
> applied ?
> 
> I've havn't tried to setup a net interface to debug nfs commandi,
> instead I was using simpler command such as `md5sum ""`.

Indeed I can confirm that 74946415a already fixes the issue, also with a
'nfs foo ""' command. This renders my patches unnecessary for this
issue, but still I think they do the right thing, so I tend to keep
them.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



More information about the barebox mailing list