From a52bca9d66288cfbbacf80f2e328a75462711602 Mon Sep 17 00:00:00 2001 From: Zhiqiang Liu Date: Fri, 6 Jan 2023 16:05:18 +0800 Subject: [PATCH] mdadm:fix NULL dereferenceinsuper_by_fd Fix issue: https://gitee.com/src-openeuler/mdadm/issues/I68G5I?from=project-issue Signed-off-by: Zhiqiang Liu --- ...-fix-NULL-dereference-in-super_by_fd.patch | 89 +++++++++++++++++++ mdadm.spec | 6 +- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 0031-fix-NULL-dereference-in-super_by_fd.patch diff --git a/0031-fix-NULL-dereference-in-super_by_fd.patch b/0031-fix-NULL-dereference-in-super_by_fd.patch new file mode 100644 index 0000000..427bbd1 --- /dev/null +++ b/0031-fix-NULL-dereference-in-super_by_fd.patch @@ -0,0 +1,89 @@ +From 5025e5028b39770e76504af0ecb3e06e112d2c35 Mon Sep 17 00:00:00 2001 +From: lixiaokeng +Date: Mon, 12 Dec 2022 16:59:54 +0800 +Subject: [PATCH] Fix NULL dereference in super_by_fd + +When we create 100 partitions (major is 259 not 254) in a raid device, +mdadm may coredump: + +Core was generated by `/usr/sbin/mdadm --detail --export /dev/md1p3'. +Program terminated with signal SIGSEGV, Segmentation fault. +#0 __strlen_sse2 () + at ../sysdeps/x86_64/multiarch/strlen-vec.S:126 +126 movdqu (%rax), %xmm4 +(gdb) bt +#0 __strlen_sse2 () + at ../sysdeps/x86_64/multiarch/strlen-vec.S:126 +#1 0x00007f1944659139 in __strcpy_chk ( + dest=dest@entry=0x55ea8d7c23ac "", src=0x0, + destlen=destlen@entry=32) at strcpy_chk.c:28 +#2 0x000055ea8d10b66d in strcpy (__src=, + __dest=0x55ea8d7c23ac "") + at /usr/include/bits/string_fortified.h:79 +#3 super_by_fd (fd=fd@entry=3, + subarrayp=subarrayp@entry=0x7ffe6a1dff08) at util.c:1289 +#4 0x000055ea8d11b3a6 in Detail ( + dev=0x7ffe6a1e2f22 "/dev/md1p3", c=0x7ffe6a1e1700) + at Detail.c:101 +#5 0x000055ea8d101e61 in misc_list (c=, + ss=, dump_directory=, + ident=, devlist=) + at mdadm.c:1959 +#6 main (argc=, argv=) + at mdadm.c:1629 + +The direct cause is fd2devnm returning NULL, so add a check. +Similarly, add a check in map_by_devnm to avoid coredump. + +Fix issue:https://gitee.com/src-openeuler/mdadm/issues/I68G5I?from=project-issue + +Signed-off-by: Lixiaokeng +Signed-off-by: Wuguanghao +--- + mapfile.c | 4 ++++ + util.c | 7 ++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/mapfile.c b/mapfile.c +index 8d7acb3..f72fe0d 100644 +--- a/mapfile.c ++++ b/mapfile.c +@@ -292,6 +292,10 @@ struct map_ent *map_by_uuid(struct map_ent **map, int uuid[4]) + struct map_ent *map_by_devnm(struct map_ent **map, char *devnm) + { + struct map_ent *mp; ++ ++ if (!devnm) ++ return NULL; ++ + if (!*map) + map_read(map); + +diff --git a/util.c b/util.c +index 64dd409..3a84ee3 100644 +--- a/util.c ++++ b/util.c +@@ -1241,6 +1241,11 @@ struct supertype *super_by_fd(int fd, char **subarrayp) + int i; + char *subarray = NULL; + char container[32] = ""; ++ char *devnm = NULL; ++ ++ devnm = fd2devnm(fd); ++ if (!devnm) ++ return NULL; + + sra = sysfs_read(fd, NULL, GET_VERSION); + +@@ -1286,7 +1291,7 @@ struct supertype *super_by_fd(int fd, char **subarrayp) + if (subarrayp) + *subarrayp = subarray; + strcpy(st->container_devnm, container); +- strcpy(st->devnm, fd2devnm(fd)); ++ strcpy(st->devnm, devnm); + } else + free(subarray); + +-- +1.8.3.1 + diff --git a/mdadm.spec b/mdadm.spec index e3d1fbc..3f220b1 100644 --- a/mdadm.spec +++ b/mdadm.spec @@ -1,6 +1,6 @@ Name: mdadm Version: 4.1 -Release: 7 +Release: 8 Summary: The software RAID arrays user manage tools License: GPLv2+ URL: http://www.kernel.org/pub/linux/utils/raid/mdadm/ @@ -40,6 +40,7 @@ Patch27: 0027-mdadm-remove-Werror-to-fix-Werror-address-of-packed-.patch Patch28: 0028-mdadm-fix-coredump-of-mdadm-monitor-r.patch Patch29: 0029-mdadm-Fix-mdadm-r-remove-option-regresision.patch Patch30: 0030-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch +Patch31: 0031-fix-NULL-dereference-in-super_by_fd.patch BuildRequires: systemd gcc binutils Requires(post): systemd coreutils @@ -105,6 +106,9 @@ install -d -m 710 %{buildroot}/var/run/mdadm/ %{_mandir}/man*/* %changelog +* Fri Jan 6 2023 Zhiqiang Liu - 4.1-8 +- fix Null dereference in super_by_fd + * Mon Nov 14 2022 Zhiqiang Liu - 4.1-7 - fix one segfault problem of check_for_cleared_bb in monitor.c -- Gitee