[PATCH] decode mtd/ubi ioctls
Dmitry V. Levin
ldv at altlinux.org
Sat May 4 20:10:29 UTC 2013
On Wed, May 01, 2013 at 11:35:30PM -0400, Mike Frysinger wrote:
[...]
> + /* 4*(n-1) + 3 for quotes and NUL */
> + char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
> +
> + if (entering(tcp))
> + return 0;
> +
> + switch (code) {
> + case UBI_IOCMKVOL:
> + if (!verbose(tcp) || umove(tcp, arg, &mkvol) < 0)
> + return 0;
> +
> + tprintf(", {vol_id=%" PRIi32 ", alignment=%" PRIi32
> + ", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
> + mkvol.alignment, (int64_t)mkvol.bytes);
> + printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
> + string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
Because mkvol.name_len is untrusted input, it can exceed
UBI_MAX_VOLUME_NAME with good chance to overflow vol_name[].
I suggest adding some kind of
CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME).
[...]
> + case UBI_IOCRNVOL: {
> + __s32 c;
> +
> + if (!verbose(tcp) || umove(tcp, arg, &rnvol) < 0)
> + return 0;
> +
> + tprintf(", {count=%" PRIi32 ", ents=[", rnvol.count);
> + for (c = 0; c < CLAMP(rnvol.count, 0, UBI_MAX_RNVOL); ++c) {
> + if (c)
> + tprints(", ");
> + string_quote(rnvol.ents[c].name, vol_name, -1,
> + rnvol.ents[c].name_len);
The same issue with this string_quote call.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20130505/a0bb04e6/attachment.bin>
More information about the Strace-devel
mailing list