xfsprogs: add patch ot prevent corruption of passed in suboption strin

Signed-off-by: Jun Yang <jun.yang@suse.com> (cherry picked from commit d086f91960b934aa5acce9643ee81d1539b7e2e4)
2022-09-29 11:19:23 +08:00 · 2022-09-29 11:19:23 +08:00 · 5dc2005ec0
commit 5dc2005ec0
parent 2448701300
2 changed files with 75 additions and 1 deletions
--- a/0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch
+++ b/0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch
@ -0,0 +1,70 @@
 From 99c7877759c0d0e7cd1b386c717e25dbc6f5ce61 Mon Sep 17 00:00:00 2001
 From: "Darrick J. Wong" <djwong@kernel.org>
 Date: Fri, 25 Feb 2022 17:42:16 -0500
 Subject: [PATCH] mkfs: prevent corruption of passed-in suboption string values
 Eric and I were trying to play with mkfs.configuration files, when I
 spotted this (with the libini package from Ubuntu 20.04):
 # cat << EOF > /tmp/r
 [data]
 su=2097152
 sw=1
 EOF
 # mkfs.xfs -f -c options=/tmp/r /dev/sda
 Parameters parsed from config file /tmp/r successfully
 -d su option requires a value
 It turns out that libini's parser uses stack variables(!) to store the
 value of a key=value pair that it parses, and passes this stack array to
 the parse_cfgopt function.  If the particular option calls getstr(),
 then we save the value of that pointer (not its contents) to the
 cli_params.  Being a stack array, the contents will be overwritten by
 other function calls, which means that our value of '2097152' has been
 destroyed by the time we actually call getnum when we're validating the
 new fs config.
 We never noticed this until now because the only other caller was
 getsubopt on the argv array, which gets chopped up but left intact in
 memory.  The solution is to make a private copy of those strings if we
 ever save them for later.  For now we'll be lazy and let the memory
 leak, since mkfs is not a long-running process.
 Fixes: 33c62516 ("mkfs: add initial ini format config file parsing support")
 Signed-off-by: Darrick J. Wong <djwong@kernel.org>
 Reviewed-by: Christoph Hellwig <hch@lst.de>
 Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
 ---
 mkfs/xfs_mkfs.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/mkfs/xfs_mkfs.c b/mkfs/xfs_mkfs.c
 index 3a41e17f..fcad6b55 100644
 --- a/mkfs/xfs_mkfs.c
 +++ b/mkfs/xfs_mkfs.c
@@ -1438,12 +1438,21 @@ getstr(
 	struct opt_params	*opts,
 	int			index)
 {
 +	char			*ret;
 +
 	check_opt(opts, index, true);
 	/* empty strings for string options are not valid */
 	if (!str || *str == '\0')
 		reqval(opts->name, opts->subopts, index);
 -	return (char *)str;
 +
 +	ret = strdup(str);
 +	if (!ret) {
 +		fprintf(stderr, _("Out of memory while saving suboptions.\n"));
 +		exit(1);
 +	}
 +
 +	return ret;
 }
 static int
 -- 
 2.35.3
--- a/xfsprogs.spec
+++ b/xfsprogs.spec
@ -1,6 +1,6 @@
 Name:           xfsprogs
 Version:        5.14.1
-Release:        4
+Release:        5
 Summary:        Administration and debugging tools for the XFS file system
 License:        GPL+ and LGPLv2+
 URL:            https://xfs.wiki.kernel.org
@ -20,6 +20,7 @@ Conflicts:      xfsdump < 3.0.1
 Patch0:		xfsprogs-5.12.0-default-bigtime-inobtcnt-on.patch
 Patch1:		0001-xfs-correct-nlink-printf-specifier-from-hd-to-PRIu32.patch
 Patch2:         0002-libxfs-fix-inode-reservation-space-for-removing-tran.patch
 Patch3:         0003-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch
 %description
 xfsprogs are the userspace utilities that manage XFS filesystems.
@ -103,6 +104,9 @@ rm -rf %{buildroot}%{_datadir}/doc/xfsprogs/
 %changelog
 * Wed Sep 28 2022 Jun Yang <jun.yang@suse.com> - 5.14.1-5
 - add Patch3: prevent corruption of passed-in suboption string values
 * Thu Aug 18 2022 Xiaole He <hexiaole@kylinos.cn> - 5.14.1-4
 - add Patch2: fix inode reservation space for removing transaction