From: David Goulet Date: Tue, 14 May 2013 15:59:23 +0000 (-0400) Subject: Fix: out of bounds access of kernel channel padding X-Git-Tag: v2.2.0-rc3~78 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=f853c53a00da0640403f536fc5bfc9146baf200c;p=lttng-tools.git Fix: out of bounds access of kernel channel padding The padding of the old ABI is bigger than the new one so we use the size of the new padding size for the memcpy since it will always be smaller. In kernctl_create_channel: Out-of-bounds access to a buffer (CWE-119). In kernctl_open_metadata: Out-of-bounds access to a buffer (CWE-119). Issue 1019925 and 1019924 of coverity scan. Signed-off-by: David Goulet --- diff --git a/src/common/kernel-ctl/kernel-ctl.c b/src/common/kernel-ctl/kernel-ctl.c index e4a268ed4..b45efd0ef 100644 --- a/src/common/kernel-ctl/kernel-ctl.c +++ b/src/common/kernel-ctl/kernel-ctl.c @@ -82,7 +82,13 @@ int kernctl_open_metadata(int fd, struct lttng_channel_attr *chops) old_channel.switch_timer_interval = chops->switch_timer_interval; old_channel.read_timer_interval = chops->read_timer_interval; old_channel.output = chops->output; - memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding)); + + memset(old_channel.padding, 0, sizeof(old_channel.padding)); + /* + * The new channel padding is smaller than the old ABI so we use the + * new ABI padding size for the memcpy. + */ + memcpy(old_channel.padding, chops->padding, sizeof(chops->padding)); return ioctl(fd, LTTNG_KERNEL_OLD_METADATA, &old_channel); } @@ -111,7 +117,13 @@ int kernctl_create_channel(int fd, struct lttng_channel_attr *chops) old_channel.switch_timer_interval = chops->switch_timer_interval; old_channel.read_timer_interval = chops->read_timer_interval; old_channel.output = chops->output; - memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding)); + + memset(old_channel.padding, 0, sizeof(old_channel.padding)); + /* + * The new channel padding is smaller than the old ABI so we use the + * new ABI padding size for the memcpy. + */ + memcpy(old_channel.padding, chops->padding, sizeof(chops->padding)); return ioctl(fd, LTTNG_KERNEL_OLD_CHANNEL, &old_channel); }