Bug 1455263
| Summary: | invalid memory read in copy_line, called by define_commands in command.c | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] LVM and device-mapper | Reporter: | hanno | ||||||
| Component: | lvm2 | Assignee: | David Teigland <teigland> | ||||||
| lvm2 sub component: | Other | QA Contact: | cluster-qe <cluster-qe> | ||||||
| Status: | NEW --- | Docs Contact: | |||||||
| Severity: | unspecified | ||||||||
| Priority: | low | CC: | agk, heinzm, hholst80, jbrassow, prajnoha, zkabelac | ||||||
| Version: | 2.02.171 | Keywords: | Triaged | ||||||
| Target Milestone: | --- | Flags: | rule-engine:
lvm-technical-solution?
rule-engine: lvm-test-coverage? |
||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | Bug | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1282002 [details]
address sanitizer error / stack trace
thanks, will put this in soon, there seems to be no actual problem since \n isn't actually needed in practice. There's recently been a new version of lvm2, yet this has been ignored since I reported it. Anything I can do so you'll actually review this and commit it? It's a pretty straightforward bug and fix. The patch appears to cause a segfault /bin/sh: line 1: 15696 Segmentation fault ../tools/man-generator --primary lvmconfig > test.gen Is this the same error? ``` # lvm lvm> version LVM version: 2.03.24(2) (2024-05-16) Library version: 1.02.198 (2024-05-16) Driver version: 4.48.0 Configuration: ./configure CONFIG_SHELL=/bin/bash --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc --localstatedir=/var --enable-cmdlib --enable-dmeventd --enable-lvmpolld --enable-pkgconfig --enable-readline --enable-udev_rules --enable-udev_sync --enable-write_install --with-cache=internal --with-default-dm-run-dir=/run --with-default-locking-dir=/run/lock/lvm --with-default-pid-dir=/run --with-default-run-dir=/run/lvm --with-libexecdir=/usr/lib/lvm2 --with-systemdsystemunitdir=no --with-thin=internal --with-udev-prefix=/usr lvm> help foo foo - (null) fish: Job 1, 'lvm' terminated by signal SIGSEGV (Address boundary error) ``` |
Created attachment 1281999 [details] patch / fix Description of problem: Testing the lvm command line tool with address sanitizer uncovers an invalid memory read happening in the function copy_line.c Version-Release number of selected component (if applicable): LVM2.2.02.171 How reproducible: always Steps to Reproduce: 1. compile LVM2 with address sanitizer 2. run tools/lvm 3. see error Actual results: ASAN reports global buffer overflow Expected results: Tool starts normally. Additional info: This is the affected code in the function copy_line(): while (1) { line[i] = _command_input[p]; i++; p++; if (_command_input[p] == '\n') { p++; break; } if (i == (max_line - 1)) break; } This will read until a newline and then exit the loop. However the calling function define_commands() assumes a trailing newline in the returned string to mark the end of the string. It will also use a check of the form if (line[0] == '\n') to check whether we're at the end of parsing the command string. This obviously only works if the newline byte is also copied by copy_line, which it isn't. A possible solution is to switch the increasing of the i and p variables and the check for the newline byte in copy_line, thus making sure that it's only checked after the newline character is already copied: while (1) { line[i] = _command_input[p]; if (_command_input[p] == '\n') { p++; break; } i++; p++; if (i == (max_line - 1)) break; } I'll attach a patch to do this.