Jeff Liu
2011-Aug-31 04:35 UTC
[PATCH] Btrfs-progs: specify label length larger than 255 bytes cause mkfs.btrfs buffer overflow
Hello, While going through the mkfs.c, I noticed there is an issue for label length checking, mkfs.btrfs will crashed if the label length exceeding 255 bytes, it''s easy to triggered that out as below: jeff@pibroch:~/opensource/btrfs-progs$ sudo ./mkfs.btrfs -L `perl -e ''print "A"x256''` /usr/src/linux-3.0/img0 WARNING! - Btrfs v0.19-35-g1b444cd IS EXPERIMENTAL WARNING! - see http://btrfs.wiki.kernel.org before using *** buffer overflow detected ***: ./mkfs.btrfs terminated ======= Backtrace: ========/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0xb7774df0] /lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0xb7773cca] /lib/i386-linux-gnu/libc.so.6(__strcpy_chk+0x3f)[0xb777305f] ./mkfs.btrfs[0x805acc4] ./mkfs.btrfs[0x805def6] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xb76a5e37] ./mkfs.btrfs[0x8048ef1] ======= Memory map: =======...... a tiny patch could fix it. Signed-off-by: Jie Liu <jeff.liu@oracle.com> --- mkfs.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mkfs.c b/mkfs.c index 2e99b95..1598aae 100644 --- a/mkfs.c +++ b/mkfs.c @@ -308,9 +308,9 @@ static char *parse_label(char *input) int i; int len = strlen(input); - if (len > BTRFS_LABEL_SIZE) { + if (len >= BTRFS_LABEL_SIZE) { fprintf(stderr, "Label %s is too long (max %d)\n", input, - BTRFS_LABEL_SIZE); + BTRFS_LABEL_SIZE - 1); exit(1); } for (i = 0; i < len; i++) { -- 1.7.4.1 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html