From 84412c6b48ae4b980b58c26588237ac48c393458 Mon Sep 17 00:00:00 2001
From: liuh <liuhuan01@kylinos.cn>
Date: Tue, 11 Nov 2025 20:34:04 +0800
Subject: [PATCH] platform-intel: fix buffer overflow

---
 0033-platform-intel-fix-buffer-overflow.patch | 48 +++++++++++++++++++
 mdadm.spec                                    |  6 ++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 0033-platform-intel-fix-buffer-overflow.patch

diff --git a/0033-platform-intel-fix-buffer-overflow.patch b/0033-platform-intel-fix-buffer-overflow.patch
new file mode 100644
index 0000000..2e5f3d2
--- /dev/null
+++ b/0033-platform-intel-fix-buffer-overflow.patch
@@ -0,0 +1,48 @@
+From 7f960c3bd050e76f8bf0a8a0c8fbdcbaa565fc78 Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Fri, 22 Nov 2024 11:01:04 +0100
+Subject: [PATCH] platform-intel: fix buffer overflow
+
+mdadm -C /dev/md/imsm0 -e imsm -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
+mdadm -C /dev/md/r0d2 -l 0 -n 2 /dev/nvme5n1 /dev/nvme4n1 -R
+*** buffer overflow detected ***: terminated
+Aborted (core dumped)
+
+Issue is related to D_FORTIFY_SOURCE=3 flag and depends on environment,
+especially compiler version. In function active_arrays_by_format length of
+path buffer is calculated dynamically based on parameters, while PATH_MAX
+is used in snprintf, this is my lead to buffer overflow.
+
+It is fixed by change dynamic length calculation, to use define PATH_MAX
+for path length.
+
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+---
+ super-intel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/super-intel.c b/super-intel.c
+index bf6ba9f..4392b5e 100644
+--- a/super-intel.c
++++ b/super-intel.c
+@@ -6878,7 +6878,8 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
+ 			struct dev_member *dev = memb->members;
+ 			int fd = -1;
+ 			while (dev && !is_fd_valid(fd)) {
+-				char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1);
++				char path[PATH_MAX];
++
+ 				num = sprintf(path, "%s%s", "/dev/", dev->name);
+ 				if (num > 0)
+ 					fd = open(path, O_RDONLY, 0);
+@@ -6886,7 +6887,6 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
+ 					pr_vrb("Cannot open %s: %s\n",
+ 					       dev->name, strerror(errno));
+ 				}
+-				free(path);
+ 				dev = dev->next;
+ 			}
+ 			found = 0;
+-- 
+2.43.0
+
diff --git a/mdadm.spec b/mdadm.spec
index 252053d..90e6ec7 100644
--- a/mdadm.spec
+++ b/mdadm.spec
@@ -1,6 +1,6 @@
 Name:     mdadm
 Version:  4.2
-Release:  20
+Release:  21
 Summary:  The software RAID arrays user manage tools
 License:  GPLv2+
 URL:      http://www.kernel.org/pub/linux/utils/raid/mdadm/
@@ -42,6 +42,7 @@ Patch39: 0029-mdadm-util.c-fix-coverity-issues.patch
 Patch30: 0030-mdadm-sysfs.c-fix-coverity-issues.patch
 Patch31: 0031-super1-Clear-extra-flags-when-initializing-metadata.patch
 Patch32: 0032-Grow-fix-can-t-change-bitmap-type-from-none-to-clust.patch
+Patch33: 0033-platform-intel-fix-buffer-overflow.patch
 
 BuildRequires:    systemd gcc binutils libudev-devel
 
@@ -108,6 +109,9 @@ install -d -m 710 %{buildroot}/var/run/mdadm/
 %{_mandir}/man*/*
 
 %changelog
+* Tue Nov 11 2025 liuh <liuhuan01@kylinos.cn> - 4.2-21
+- platform-intel: fix buffer overflow
+
 * Sat Nov 8 2025 liuh <liuhuan01@kylinos.cn> - 4.2-20
 - Grow: fix can't change bitmap type from none to clustered.
 
-- 
Gitee