Bug 1813491

Summary: tcmu-runner: Fix possible cdb printing overflow
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Xiubo Li <xiubli>
Component: tcmu-runnerAssignee: Xiubo Li <xiubli>
Status: CLOSED ERRATA QA Contact: Vinayak Papnoi <vpapnoi>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ocs-3.11CC: arukumar, pprakash, prasanna.kalever, puebele, rhs-bugs, rtalur, sabose, xiubli
Target Milestone: ---Keywords: ZStream
Target Release: OCS 3.11.z Batch Update 6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tcmu-runner-1.2.0-33.el7rhgs Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-17 04:31:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xiubo Li 2020-03-14 02:09:57 UTC
Description of problem:
tcmu_cdb_print_info has a fixed size 193 bytes scratch buffer on the stack,
defined here:

void tcmu_cdb_print_info(struct tcmu_device *dev,
const struct tcmulib_cmd *cmd,
const char *info)
{
int i, n, bytes;
char fix[CDB_FIX_SIZE], *buf;

    buf = fix;
Further down, it uses sprintf to write some bytes in 2-digit hex format to
buf, with each byte occupying 3 bytes in buf:

    for (i = 0, n = 0; i < bytes; i++) {
            n += sprintf(buf + n, "%x ", cmd->cdb[i]);
    }
To avoid overflowing the stack buffer, there is a check earlier in the
function which performs a heap allocation if bytes is too large:

    if (bytes > CDB_FIX_SIZE) {
            buf = malloc(CDB_TO_BUF_SIZE(bytes));
            if (!buf) {
                    tcmu_dev_err(dev, "out of memory\n");
                    return;
            }
    }
But this check looks wrong. If bytes > 64, then the previously mentioned for
loop will overflow the 193 byte stack buffer. I think it should be:

    if (bytes > CDB_FIX_BYTES) {
Correcting this isn't sufficient on its own though, as this check doesn't
take in to account that an additional string (info) is written to buf and
can also result in the stack buffer overflowing:

    if (info)
            n += sprintf(buf + n, "%s", info);

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 11 errata-xmlrpc 2020-12-17 04:31:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Storage 3.11.z bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5602