From f853c53a00da0640403f536fc5bfc9146baf200c Mon Sep 17 00:00:00 2001 From: David Goulet Date: Tue, 14 May 2013 11:59:23 -0400 Subject: [PATCH] Fix: out of bounds access of kernel channel padding The padding of the old ABI is bigger than the new one so we use the size of the new padding size for the memcpy since it will always be smaller. In kernctl_create_channel: Out-of-bounds access to a buffer (CWE-119). In kernctl_open_metadata: Out-of-bounds access to a buffer (CWE-119). Issue 1019925 and 1019924 of coverity scan. Signed-off-by: David Goulet --- src/common/kernel-ctl/kernel-ctl.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/common/kernel-ctl/kernel-ctl.c b/src/common/kernel-ctl/kernel-ctl.c index e4a268ed4..b45efd0ef 100644 --- a/src/common/kernel-ctl/kernel-ctl.c +++ b/src/common/kernel-ctl/kernel-ctl.c @@ -82,7 +82,13 @@ int kernctl_open_metadata(int fd, struct lttng_channel_attr *chops) old_channel.switch_timer_interval = chops->switch_timer_interval; old_channel.read_timer_interval = chops->read_timer_interval; old_channel.output = chops->output; - memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding)); + + memset(old_channel.padding, 0, sizeof(old_channel.padding)); + /* + * The new channel padding is smaller than the old ABI so we use the + * new ABI padding size for the memcpy. + */ + memcpy(old_channel.padding, chops->padding, sizeof(chops->padding)); return ioctl(fd, LTTNG_KERNEL_OLD_METADATA, &old_channel); } @@ -111,7 +117,13 @@ int kernctl_create_channel(int fd, struct lttng_channel_attr *chops) old_channel.switch_timer_interval = chops->switch_timer_interval; old_channel.read_timer_interval = chops->read_timer_interval; old_channel.output = chops->output; - memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding)); + + memset(old_channel.padding, 0, sizeof(old_channel.padding)); + /* + * The new channel padding is smaller than the old ABI so we use the + * new ABI padding size for the memcpy. + */ + memcpy(old_channel.padding, chops->padding, sizeof(chops->padding)); return ioctl(fd, LTTNG_KERNEL_OLD_CHANNEL, &old_channel); } -- 2.34.1