Bug 2176740

Summary: [RHEL 9] tools/rpcdebug/rpcdebug.c: get_flags() fails to check read() return properly
Product: Red Hat Enterprise Linux 9 Reporter: Zhi Li <yieli>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: ASSIGNED --- QA Contact: Yongcheng Yang <yoyang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: xzhou, yieli
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhi Li 2023-03-09 06:12:10 UTC 
Description of problem:
If libcall read(sysfd, buffer, sizeof(buffer) returns 0, it may lead to an underflow later in buffer[len - 1].

...snip...
248 static unsigned int
249 get_flags(char *module)
250 {
251         char    buffer[256], filename[256];
252         int     sysfd, len;
253
254         snprintf(filename, 256, "/proc/sys/sunrpc/%s_debug", module);
255
256         if ((sysfd = open(filename, O_RDONLY)) < 0) {
257                 perror(filename);
258                 exit(1);
259         }
260         if ((len = read(sysfd, buffer, sizeof(buffer))) < 0) {   // <- if len returns 0 here
261                 perror("read");
262                 exit(1);
263         }
264         close(sysfd);
265         buffer[len - 1] = '\0';    // <- buffer underflow
266
267         return strtoul(buffer, NULL, 0);
268 }
...snip...

Version-Release number of selected component (if applicable):
nfs-utils-2.5.4-18.el9
Comment 2 Yongcheng Yang 2023-06-07 14:44:21 UTC 
It has been merged to the upstream nfs-utils now:

commit a746c35822e557766d1871ec976490a71e6962d9
Author: Zhi Li <yieli>
Date:   Wed Apr 5 12:08:10 2023 -0400

    rpcdebug: avoid buffer underflow if read() returns 0

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2176740

    Signed-off-by: Zhi Li <yieli>
    Signed-off-by: Steve Dickson <steved>