git: fc915f1be145 - main - pseudofs: Fix a potential out-of-bounds access in pfs_lookup()
Date: Fri, 23 Jun 2023 15:09:54 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=fc915f1be145a52c53f6f1c37525043216e32bb8
commit fc915f1be145a52c53f6f1c37525043216e32bb8
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-06-23 13:54:39 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-06-23 13:54:39 +0000
pseudofs: Fix a potential out-of-bounds access in pfs_lookup()
pseudofs nodes store their name in a flexible array member, so the node
allocation is sized using the length of the name, including a nul
terminator. pfs_lookup() scans a directory of nodes, comparing names to
find a match. The comparison was incorrect and assumed that all node
names were at least as long as the name being looked up, which of course
isn't true.
I believe the bug is mostly harmless since it cannot result in false
positive or negative matches from the lookup, but it triggers a KASAN
check.
Reported by: pho
Reviewed by: kib, Olivier Certner <olce.freebsd@certner.fr>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40692
---
sys/fs/pseudofs/pseudofs_vnops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index 53e4c2b6b85c..bf423f0ad4db 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -537,8 +537,8 @@ pfs_lookup(struct vop_cachedlookup_args *va)
for (pn = pd->pn_nodes; pn != NULL; pn = pn->pn_next)
if (pn->pn_type == pfstype_procdir)
pdn = pn;
- else if (pn->pn_name[namelen] == '\0' &&
- bcmp(pname, pn->pn_name, namelen) == 0) {
+ else if (strncmp(pname, pn->pn_name, namelen) == 0 &&
+ pn->pn_name[namelen] == '\0') {
pfs_unlock(pd);
goto got_pnode;
}