Skip to content

fs: fuse: Fix possible buffer overflow #63079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 5, 2023
Merged

fs: fuse: Fix possible buffer overflow #63079

merged 1 commit into from
Oct 5, 2023

Conversation

ceolin
Copy link
Member

@ceolin ceolin commented Sep 26, 2023

Ensure that the path in fuse_fs_access_readdir does not overflow the local buffer.

@ceolin ceolin requested a review from nashif as a code owner September 26, 2023 06:23
de-nordic
de-nordic reviewed Sep 26, 2023
View reviewed changes
subsys/fs/fuse_fs_access.c Outdated
Comment on lines 183 to 184
sprintf(mount_path, "%.*s/", MIN(strlen(path),
(PATH_MAX - 2)), path);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be more proper to check first whether the additional '/' fits with string to the mount point and use strcpy, or similar rather than heavy snprintf, and fill in missing '/'.
Above is also dangerous because you can get path that is still existing path, but not a path you want to access.
For example you can cut something like "/bi/ba/bu" to "/bi/ba//" which is still valid path.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep ... thought about it but decided to just truncate the contents and send to the upper level to keep it as closes as the original implementation ...

But it is probably better just return an error here and avoid propagate inaccurate data.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

fs: fuse: Fix possible buffer overflow
9c2e96b 
Ensure that the path in fuse_fs_access_readdir does not overflow
the local buffer.

Signed-off-by: Flavio Ceolin <[email protected]>
de-nordic
de-nordic reviewed Sep 26, 2023
View reviewed changes
subsys/fs/fuse_fs_access.c
@@ -176,9 +176,15 @@ static int fuse_fs_access_readdir(const char *path, void *buf,
* directory but FUSE strips the trailing slashes from
* directory names so add it back.
*/
char mount_path[PATH_MAX];
char mount_path[PATH_MAX] = {0};
Copy link
Collaborator

@de-nordic de-nordic Sep 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for the future: if you are planning to overwrite the buffer with whatevercpy do not initialize it this way, because this will be replaced by loop putting 0 in the array; just do all the copy you need and then place the final 0 where it belongs, as you will know where to place it anyway.

@ceolin ceolin requested a review from d3zd3z September 27, 2023 16:39
@Laczen Laczen removed their request for review September 29, 2023 08:04
@ceolin ceolin added the bug The issue is a bug, or the PR is fixing a bug label Oct 2, 2023
@ceolin ceolin added this to the v3.5.0 milestone Oct 2, 2023
@fabiobaltieri fabiobaltieri merged commit 3521c95 into zephyrproject-rtos:main Oct 5, 2023
ngm0
ngm0 reviewed Feb 14, 2024
View reviewed changes
subsys/fs/fuse_fs_access.c

sprintf(mount_path, "%s/", path);
if (len >= (PATH_MAX - 2)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if (len > (PATH_MAX - 2)) { suffices, leaving one byte for / and \0 each.

ngm0
ngm0 reviewed Feb 14, 2024
View reviewed changes
subsys/fs/fuse_fs_access.c
return -ENOMEM;
}

memcpy(mount_path, path, len)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing semicolon, did this patch pass CI?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clearly the CI is not running this code path, could you send a PR with the fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabiobaltieri fabiobaltieri fabiobaltieri approved these changes

@ngm0 ngm0 ngm0 left review comments

@de-nordic de-nordic de-nordic approved these changes

@nashif nashif Awaiting requested review from nashif

@d3zd3z d3zd3z Awaiting requested review from d3zd3z

Assignees

@de-nordic de-nordic

Labels
area: File System bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
v3.5.0
Development

Successfully merging this pull request may close these issues.
5 participants
@ceolin @fabiobaltieri @ngm0 @de-nordic @zephyrbot