diff --git a/0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch b/0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b7564c1f1122d2df7dfd954afef30c46b7f1f68 --- /dev/null +++ b/0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch @@ -0,0 +1,70 @@ +From 99c7877759c0d0e7cd1b386c717e25dbc6f5ce61 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 25 Feb 2022 17:42:16 -0500 +Subject: [PATCH] mkfs: prevent corruption of passed-in suboption string values + +Eric and I were trying to play with mkfs.configuration files, when I +spotted this (with the libini package from Ubuntu 20.04): + +# cat << EOF > /tmp/r +[data] +su=2097152 +sw=1 +EOF +# mkfs.xfs -f -c options=/tmp/r /dev/sda +Parameters parsed from config file /tmp/r successfully +-d su option requires a value + +It turns out that libini's parser uses stack variables(!) to store the +value of a key=value pair that it parses, and passes this stack array to +the parse_cfgopt function. If the particular option calls getstr(), +then we save the value of that pointer (not its contents) to the +cli_params. Being a stack array, the contents will be overwritten by +other function calls, which means that our value of '2097152' has been +destroyed by the time we actually call getnum when we're validating the +new fs config. + +We never noticed this until now because the only other caller was +getsubopt on the argv array, which gets chopped up but left intact in +memory. The solution is to make a private copy of those strings if we +ever save them for later. For now we'll be lazy and let the memory +leak, since mkfs is not a long-running process. + +Fixes: 33c62516 ("mkfs: add initial ini format config file parsing support") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Eric Sandeen +--- + mkfs/xfs_mkfs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/mkfs/xfs_mkfs.c b/mkfs/xfs_mkfs.c +index 3a41e17f..fcad6b55 100644 +--- a/mkfs/xfs_mkfs.c ++++ b/mkfs/xfs_mkfs.c +@@ -1438,12 +1438,21 @@ getstr( + struct opt_params *opts, + int index) + { ++ char *ret; ++ + check_opt(opts, index, true); + + /* empty strings for string options are not valid */ + if (!str || *str == '\0') + reqval(opts->name, opts->subopts, index); +- return (char *)str; ++ ++ ret = strdup(str); ++ if (!ret) { ++ fprintf(stderr, _("Out of memory while saving suboptions.\n")); ++ exit(1); ++ } ++ ++ return ret; + } + + static int +-- +2.35.3 + diff --git a/xfsprogs.spec b/xfsprogs.spec index ea577fe5faf54e52eca54450d33092f439d8e819..69ca29747e8fd72dd1b88636d1954d98437a33b0 100644 --- a/xfsprogs.spec +++ b/xfsprogs.spec @@ -1,6 +1,6 @@ Name: xfsprogs Version: 5.14.1 -Release: 4 +Release: 5 Summary: Administration and debugging tools for the XFS file system License: GPL+ and LGPLv2+ URL: https://xfs.wiki.kernel.org @@ -20,6 +20,7 @@ Conflicts: xfsdump < 3.0.1 Patch0: xfsprogs-5.12.0-default-bigtime-inobtcnt-on.patch Patch1: 0001-xfs-correct-nlink-printf-specifier-from-hd-to-PRIu32.patch Patch2: 0002-libxfs-fix-inode-reservation-space-for-removing-tran.patch +Patch3: 0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch %description xfsprogs are the userspace utilities that manage XFS filesystems. @@ -103,6 +104,9 @@ rm -rf %{buildroot}%{_datadir}/doc/xfsprogs/ %changelog +* Wed Sep 28 2022 Jun Yang - 5.14.1-5 +- add Patch3: prevent corruption of passed-in suboption string values + * Thu Aug 18 2022 Xiaole He - 5.14.1-4 - add Patch2: fix inode reservation space for removing transaction