sk-netlink: fix overflow
break running./crtools check : *** buffer overflow detected ***: ./crtools terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fdaacb3e82c] /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fdaacb3d700] ./crtools[0x423d00] ./crtools[0x41d021] ./crtools[0x41d259] ./crtools[0x41e4b6] ./crtools[0x418f03] ./crtools[0x404988] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fdaaca5576d] ./crtools[0x404ad9] ======= Memory map: ======== 00400000-00463000 r-xp 00000000 08:01 189158 /home/clb/crtools/crtools 00662000-00663000 r--p 00062000 08:01 189158 /home/clb/crtools/crtools 00663000-00671000 rw-p 00063000 08:01 189158 /home/clb/crtools/crtools 00671000-00677000 rw-p 00000000 00:00 0 01801000-01822000 rw-p 00000000 00:00 0 [heap] 7fdaac81e000-7fdaac833000 r-xp 00000000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fdaac833000-7fdaaca32000 ---p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fdaaca32000-7fdaaca33000 r--p 00014000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fdaaca33000-7fdaaca34000 rw-p 00015000 08:01 410533 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fdaaca34000-7fdaacbe9000 r-xp 00000000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so 7fdaacbe9000-7fdaacde8000 ---p 001b5000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so 7fdaacde8000-7fdaacdec000 r--p 001b4000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so 7fdaacdec000-7fdaacdee000 rw-p 001b8000 08:01 393459 /lib/x86_64-linux-gnu/libc-2.15.so 7fdaacdee000-7fdaacdf3000 rw-p 00000000 00:00 0 7fdaacdf3000-7fdaace03000 r-xp 00000000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0 7fdaace03000-7fdaad002000 ---p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0 7fdaad002000-7fdaad003000 r--p 0000f000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0 7fdaad003000-7fdaad004000 rw-p 00010000 08:01 937695 /usr/local/lib/libprotobuf-c.so.0.0.0 7fdaad004000-7fdaad01c000 r-xp 00000000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so 7fdaad01c000-7fdaad21b000 ---p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so 7fdaad21b000-7fdaad21c000 r--p 00017000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so 7fdaad21c000-7fdaad21d000 rw-p 00018000 08:01 393528 /lib/x86_64-linux-gnu/libpthread-2.15.so 7fdaad21d000-7fdaad221000 rw-p 00000000 00:00 0 7fdaad221000-7fdaad243000 r-xp 00000000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so 7fdaad437000-7fdaad43b000 rw-p 00000000 00:00 0 7fdaad440000-7fdaad443000 rw-p 00000000 00:00 0 7fdaad443000-7fdaad444000 r--p 00022000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so 7fdaad444000-7fdaad446000 rw-p 00023000 08:01 393441 /lib/x86_64-linux-gnu/ld-2.15.so 7fff9eb3c000-7fff9eb5d000 rw-p 00000000 00:00 0 [stack] 7fff9ebcf000-7fff9ebd1000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] I find this overflow by the phase: memcpy(sd->groups, groups, sd->gsize); The reason is sd->gsize = 8 Byte, but sd->groups = xmalloc(sizeof(sd->gsize)) is exact 4 Byte. Signed-off-by:Libo Chen <libo.chen@huawei.com> Signed-off-by:
Qiang Huang <h.huangqiang@huawei.com> Acked-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
Showing
Please
register
or
sign in
to comment