[Crash-utility] [PATCH] Fix a segfault by "net" command
Dave Anderson
anderson at redhat.com
Wed Nov 22 21:44:02 UTC 2017
----- Original Message -----
>
>
> ----- Original Message -----
> > Hi Dave,
> >
> > When a network device has a lot of IP addresses, the "net" command
> > can generate a segmentation fault due to a buffer overflow without
> > this patch. I have seen several vmcores like that in customer support.
>
> Thanks, Kasuhito -- I will give the patch a test run next week after the
> holiday.
Actually, before I test the patch, can you fix get_device_address() and its
three callers now that you have changed the function's return type:
$ make warn
TARGET: X86_64
CRASH: 7.2.1rc20
GDB: 7.6
cc -c -g -DX86_64 -DLZO -DSNAPPY -DGDB_7_6 build_data.c -Wall -O2 -Wstrict-prototypes -Wmissing-prototypes -fstack-protector -Wformat-security
cc -c -g -DX86_64 -DLZO -DSNAPPY -DGDB_7_6 net.c -Wall -O2 -Wstrict-prototypes -Wmissing-prototypes -fstack-protector -Wformat-security
net.c: In function 'get_device_address':
net.c:899:3: warning: 'return' with no value, in function returning non-void [-Wreturn-type]
return;
^
...
Thanks,
Dave
>
> Dave
>
> >
> > # for i in {1..250} ; do ifconfig eth1:$i 192.168.1.$i ; done
> > # crash
> > ...
> > crash> net
> > NET_DEVICE NAME IP ADDRESS(ES)
> > ffff88007faab000 lo 127.0.0.1
> > ffff88003e097000 eth0 192.168.122.182
> > ffff88003e12b000 eth1 192.168.1.1, 192.168.1.2, ..., 192.168.1.250
> > ffff88003e12e000 eth2
> > Segmentation fault (core dumped)
> >
> > Signed-off-by: Kazuhito Hagio <k-hagio at ab.jp.nec.com>
> > ---
> > net.c | 48 +++++++++++++++++++++++++++++++++++-------------
> > 1 file changed, 35 insertions(+), 13 deletions(-)
> >
> > diff --git a/net.c b/net.c
> > index bb86963..7b70dc4 100644
> > --- a/net.c
> > +++ b/net.c
> > @@ -70,7 +70,7 @@ static void show_net_devices_v3(ulong);
> > static void print_neighbour_q(ulong, int);
> > static void get_netdev_info(ulong, struct devinfo *);
> > static void get_device_name(ulong, char *);
> > -static void get_device_address(ulong, char *);
> > +static long get_device_address(ulong, char **, long);
> > static void get_sock_info(ulong, char *);
> > static void dump_arp(void);
> > static void arp_state_to_flags(unsigned char);
> > @@ -441,7 +441,8 @@ show_net_devices(ulong task)
> > {
> > ulong next;
> > long flen;
> > - char buf[BUFSIZE];
> > + char *buf;
> > + long buflen = BUFSIZE;
> >
> > if (symbol_exists("dev_base_head")) {
> > show_net_devices_v2(task);
> > @@ -459,6 +460,7 @@ show_net_devices(ulong task)
> > if (!net->netdevice || !next)
> > return;
> >
> > + buf = GETBUF(buflen);
> > flen = MAX(VADDR_PRLEN, strlen(net->netdevice));
> >
> > fprintf(fp, "%s NAME IP ADDRESS(ES)\n",
> > @@ -472,12 +474,14 @@ show_net_devices(ulong task)
> > get_device_name(next, buf);
> > fprintf(fp, "%-6s ", buf);
> >
> > - get_device_address(next, buf);
> > + buflen = get_device_address(next, &buf, buflen);
> > fprintf(fp, "%s\n", buf);
> >
> > readmem(next+net->dev_next, KVADDR, &next,
> > sizeof(void *), "(net_)device.next", FAULT_ON_ERROR);
> > } while (next);
> > +
> > + FREEBUF(buf);
> > }
> >
> > static void
> > @@ -485,13 +489,15 @@ show_net_devices_v2(ulong task)
> > {
> > struct list_data list_data, *ld;
> > char *net_device_buf;
> > - char buf[BUFSIZE];
> > + char *buf;
> > + long buflen = BUFSIZE;
> > int ndevcnt, i;
> > long flen;
> >
> > if (!net->netdevice) /* initialized in net_init() */
> > return;
> >
> > + buf = GETBUF(buflen);
> > flen = MAX(VADDR_PRLEN, strlen(net->netdevice));
> >
> > fprintf(fp, "%s NAME IP ADDRESS(ES)\n",
> > @@ -521,12 +527,13 @@ show_net_devices_v2(ulong task)
> > get_device_name(ld->list_ptr[i], buf);
> > fprintf(fp, "%-6s ", buf);
> >
> > - get_device_address(ld->list_ptr[i], buf);
> > + buflen = get_device_address(ld->list_ptr[i], &buf, buflen);
> > fprintf(fp, "%s\n", buf);
> > }
> >
> > FREEBUF(ld->list_ptr);
> > FREEBUF(net_device_buf);
> > + FREEBUF(buf);
> > }
> >
> > static void
> > @@ -535,13 +542,15 @@ show_net_devices_v3(ulong task)
> > ulong nsproxy_p, net_ns_p;
> > struct list_data list_data, *ld;
> > char *net_device_buf;
> > - char buf[BUFSIZE];
> > + char *buf;
> > + long buflen = BUFSIZE;
> > int ndevcnt, i;
> > long flen;
> >
> > if (!net->netdevice) /* initialized in net_init() */
> > return;
> >
> > + buf = GETBUF(buflen);
> > flen = MAX(VADDR_PRLEN, strlen(net->netdevice));
> >
> > fprintf(fp, "%s NAME IP ADDRESS(ES)\n",
> > @@ -581,12 +590,13 @@ show_net_devices_v3(ulong task)
> > get_device_name(ld->list_ptr[i], buf);
> > fprintf(fp, "%-6s ", buf);
> >
> > - get_device_address(ld->list_ptr[i], buf);
> > + buflen = get_device_address(ld->list_ptr[i], &buf, buflen);
> > fprintf(fp, "%s\n", buf);
> > }
> >
> > FREEBUF(ld->list_ptr);
> > FREEBUF(net_device_buf);
> > + FREEBUF(buf);
> > }
> >
> > /*
> > @@ -869,13 +879,18 @@ get_device_name(ulong devaddr, char *buf)
> > * in_ifaddr->ifa_next points to the next in_ifaddr in the list (if any).
> > *
> > */
> > -static void
> > -get_device_address(ulong devaddr, char *buf)
> > +static long
> > +get_device_address(ulong devaddr, char **bufp, long buflen)
> > {
> > ulong ip_ptr, ifa_list;
> > struct in_addr ifa_address;
> > + char *buf;
> > + char buf2[BUFSIZE];
> > + long pos = 0;
> >
> > - BZERO(buf, BUFSIZE);
> > + buf = *bufp;
> > + BZERO(buf, buflen);
> > + BZERO(buf2, BUFSIZE);
> >
> > readmem(devaddr + net->dev_ip_ptr, KVADDR,
> > &ip_ptr, sizeof(ulong), "ip_ptr", FAULT_ON_ERROR);
> > @@ -891,13 +906,20 @@ get_device_address(ulong devaddr, char *buf)
> > &ifa_address, sizeof(struct in_addr), "ifa_address",
> > FAULT_ON_ERROR);
> >
> > - sprintf(&buf[strlen(buf)], "%s%s",
> > - strlen(buf) ? ", " : "",
> > - inet_ntoa(ifa_address));
> > + sprintf(buf2, "%s%s", pos ? ", " : "", inet_ntoa(ifa_address));
> > + if (pos + strlen(buf2) >= buflen) {
> > + RESIZEBUF(*bufp, buflen, buflen * 2);
> > + buf = *bufp;
> > + BZERO(buf + buflen, buflen);
> > + buflen *= 2;
> > + }
> > + BCOPY(buf2, &buf[pos], strlen(buf2));
> > + pos += strlen(buf2);
> >
> > readmem(ifa_list + OFFSET(in_ifaddr_ifa_next), KVADDR,
> > &ifa_list, sizeof(ulong), "ifa_next", FAULT_ON_ERROR);
> > }
> > + return buflen;
> > }
> >
> > /*
> > --
> > 1.8.3.1
> >
> > --
> > Crash-utility mailing list
> > Crash-utility at redhat.com
> > https://www.redhat.com/mailman/listinfo/crash-utility
> >
>
> --
> Crash-utility mailing list
> Crash-utility at redhat.com
> https://www.redhat.com/mailman/listinfo/crash-utility
>
More information about the Crash-utility
mailing list