On 08/13/2018 01:31 PM, Keith Busch wrote:
> Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden
> ars_status output length handling") contained an incorrect ars status
> output size calculation and may overrun the buffer provided by 4
> bytes. This patch adds 4 bytes to the buffer the user space allocates
> so that the kernel's overrun doesn't corrupt the application's heap.
>
> See kernel patch for more details:
>
> https://patchwork.kernel.org/patch/10563103/
>
> Signed-off-by: Keith Busch <[email protected]>
Reviewed-by: Dave Jiang <[email protected]>
> ---
> ndctl/lib/ars.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c
> index c78e3bf..bd75131 100644
> --- a/ndctl/lib/ars.c
> +++ b/ndctl/lib/ars.c
> @@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd
> *ndctl_bus_cmd_new_ars_status(struct ndctl_cmd *ar
> }
>
> size = sizeof(*cmd) + ars_cap_cmd->max_ars_out;
> - cmd = calloc(1, size);
> +
> + /*
> + * Older kernels have a bug that miscalculates the output length of the
> + * ars status and will overrun the provided buffer by 4 bytes,
> + * corrupting the memory. Add an additional 4 bytes in the allocation
> + * size to prevent that corruption. See kernel patch for more details:
> + *
> + * https://patchwork.kernel.org/patch/10563103/
> + */
> + cmd = calloc(1, size + 4);
> if (!cmd)
> return NULL;
>
>
_______________________________________________
Linux-nvdimm mailing list
[email protected]
https://lists.01.org/mailman/listinfo/linux-nvdimm
