Kernel commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden
ars_status output length handling") contained an incorrect ars status
output size calculation and may overrun the buffer provided by 4
bytes. This patch adds 4 bytes to the buffer the user space allocates
so that the kernel's overrun doesn't corrupt the application's heap.
See kernel patch for more details:
https://patchwork.kernel.org/patch/10563103/
Signed-off-by: Keith Busch <keith.busch(a)intel.com>
---
ndctl/lib/ars.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ndctl/lib/ars.c b/ndctl/lib/ars.c
index c78e3bf..bd75131 100644
--- a/ndctl/lib/ars.c
+++ b/ndctl/lib/ars.c
@@ -133,7 +133,16 @@ NDCTL_EXPORT struct ndctl_cmd *ndctl_bus_cmd_new_ars_status(struct
ndctl_cmd *ar
}
size = sizeof(*cmd) + ars_cap_cmd->max_ars_out;
- cmd = calloc(1, size);
+
+ /*
+ * Older kernels have a bug that miscalculates the output length of the
+ * ars status and will overrun the provided buffer by 4 bytes,
+ * corrupting the memory. Add an additional 4 bytes in the allocation
+ * size to prevent that corruption. See kernel patch for more details:
+ *
+ *
https://patchwork.kernel.org/patch/10563103/
+ */
+ cmd = calloc(1, size + 4);
if (!cmd)
return NULL;
--
2.14.4