Re: [Libhugetlbfs-devel] [PATCH] Remove buffer overflow from --pool-pages-[min|max]

[Mel Gorman]

On Wed, May 13, 2009 at 10:08:47AM +0100, Eric B Munson wrote:
> Commit f6d20b8135e0c1ca73e8ae329be47d43be261c0b introduces a subtle buffer
> overflow by storing each pool resize request in a buffer without checking
> against the buffer size.  This patch makes a check against array size and
> ignores all pool resize requests after the first POOL_MAX.
> 
> Signed-off-by: Eric B Munson <ebmun...@us.ibm.com>
> ---
>  hugeadm.c |   19 +++++++++++++++++--
>  1 files changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/hugeadm.c b/hugeadm.c
> index e1faefb..7ba61e4 100644
> --- a/hugeadm.c
> +++ b/hugeadm.c
> @@ -852,7 +852,14 @@ int main(int argc, char** argv)
>                       break;
>  
>               case LONG_POOL_MIN_ADJ:
> -                     opt_min_adj[minadj_count++] = optarg;
> +                     minadj_count++;
> +                     if (minadj_count >= MAX_POOLS) {
> +                             WARNING("Attempting to adjust an invalid "
> +                                     "pool or a pool multiple times, "
> +                                     "ignoring request: '%s'\n", optarg);
> +                     } else {
> +                             opt_min_adj[minadj_count] = optarg;
> +                     }

minadj_count is updated before the array is populated. The effect is
that opt_min_adj[0] is always 0. I would expect the pool to always get
zerod then in that case. Did you mean to do something like

                        if (minadj_count == MAX_POOLS)
                                WARNING("Attempting to adjust pool too "
                                        "many times, "
                                        "ignoring request: '%s'\n", optarg);
                        else
                                opt_min_adj[minadj_count++] = optarg;

?

>                       break;
>  
>               case LONG_POOL_MAX_ADJ:
> @@ -861,7 +868,15 @@ int main(int argc, char** argv)
>                                       "max cannot be adjusted\n");
>                               exit(EXIT_FAILURE);
>                       }
> -                     opt_max_adj[maxadj_count++] = optarg;
> +
> +                     maxadj_count++;
> +                     if (maxadj_count >= MAX_POOLS) {
> +                             WARNING("Attempting to adjust an invalid "
> +                                     "pool or a pool multiple times, "
> +                                     "ignoring request: '%s'\n", optarg);
> +                     } else {
> +                             opt_max_adj[maxadj_count] = optarg;
> +                     }
>                          break;
>  

Same here

-- 
Mel Gorman
Part-time Phd Student                          Linux Technology Center
University of Limerick                         IBM Dublin Software Lab

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Libhugetlbfs-devel mailing list
Libhugetlbfs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libhugetlbfs-devel