Bug 1455263
| Summary: | invalid memory read in copy_line, called by define_commands in command.c | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] LVM and device-mapper | Reporter: | hanno | ||||||
| Component: | lvm2 | Assignee: | David Teigland <teigland> | ||||||
| lvm2 sub component: | Other | QA Contact: | cluster-qe <cluster-qe> | ||||||
| Status: | NEW --- | Docs Contact: | |||||||
| Severity: | unspecified | ||||||||
| Priority: | low | CC: | agk, heinzm, jbrassow, msnitzer, prajnoha, zkabelac | ||||||
| Version: | 2.02.171 | Keywords: | Triaged | ||||||
| Target Milestone: | --- | Flags: | rule-engine:
lvm-technical-solution?
rule-engine: lvm-test-coverage? |
||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | Bug | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1282002 [details]
address sanitizer error / stack trace
thanks, will put this in soon, there seems to be no actual problem since \n isn't actually needed in practice. There's recently been a new version of lvm2, yet this has been ignored since I reported it. Anything I can do so you'll actually review this and commit it? It's a pretty straightforward bug and fix. The patch appears to cause a segfault /bin/sh: line 1: 15696 Segmentation fault ../tools/man-generator --primary lvmconfig > test.gen |
Created attachment 1281999 [details] patch / fix Description of problem: Testing the lvm command line tool with address sanitizer uncovers an invalid memory read happening in the function copy_line.c Version-Release number of selected component (if applicable): LVM2.2.02.171 How reproducible: always Steps to Reproduce: 1. compile LVM2 with address sanitizer 2. run tools/lvm 3. see error Actual results: ASAN reports global buffer overflow Expected results: Tool starts normally. Additional info: This is the affected code in the function copy_line(): while (1) { line[i] = _command_input[p]; i++; p++; if (_command_input[p] == '\n') { p++; break; } if (i == (max_line - 1)) break; } This will read until a newline and then exit the loop. However the calling function define_commands() assumes a trailing newline in the returned string to mark the end of the string. It will also use a check of the form if (line[0] == '\n') to check whether we're at the end of parsing the command string. This obviously only works if the newline byte is also copied by copy_line, which it isn't. A possible solution is to switch the increasing of the i and p variables and the check for the newline byte in copy_line, thus making sure that it's only checked after the newline character is already copied: while (1) { line[i] = _command_input[p]; if (_command_input[p] == '\n') { p++; break; } i++; p++; if (i == (max_line - 1)) break; } I'll attach a patch to do this.