Bug 2176740 - [RHEL 9] tools/rpcdebug/rpcdebug.c: get_flags() fails to check read() return properly
Summary: [RHEL 9] tools/rpcdebug/rpcdebug.c: get_flags() fails to check read() return ...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: nfs-utils
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-09 06:12 UTC by Zhi Li
Modified: 2023-07-13 07:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-151184 0 None None None 2023-03-09 06:15:24 UTC

Description Zhi Li 2023-03-09 06:12:10 UTC 
Description of problem:
If libcall read(sysfd, buffer, sizeof(buffer) returns 0, it may lead to an underflow later in buffer[len - 1].

...snip...
248 static unsigned int
249 get_flags(char *module)
250 {
251         char    buffer[256], filename[256];
252         int     sysfd, len;
253
254         snprintf(filename, 256, "/proc/sys/sunrpc/%s_debug", module);
255
256         if ((sysfd = open(filename, O_RDONLY)) < 0) {
257                 perror(filename);
258                 exit(1);
259         }
260         if ((len = read(sysfd, buffer, sizeof(buffer))) < 0) {   // <- if len returns 0 here
261                 perror("read");
262                 exit(1);
263         }
264         close(sysfd);
265         buffer[len - 1] = '\0';    // <- buffer underflow
266
267         return strtoul(buffer, NULL, 0);
268 }
...snip...

Version-Release number of selected component (if applicable):
nfs-utils-2.5.4-18.el9
Comment 2 Yongcheng Yang 2023-06-07 14:44:21 UTC 
It has been merged to the upstream nfs-utils now:

commit a746c35822e557766d1871ec976490a71e6962d9
Author: Zhi Li <yieli>
Date:   Wed Apr 5 12:08:10 2023 -0400

    rpcdebug: avoid buffer underflow if read() returns 0

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2176740

    Signed-off-by: Zhi Li <yieli>
    Signed-off-by: Steve Dickson <steved>
Note You need to log in before you can comment on or make changes to this bug.