diff options
| author | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-15 20:25:43 +0200 |
|---|---|---|
| committer | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-16 11:27:10 +0200 |
| commit | 525c3e3438a7e4cd78b42f5f6ccdc3df1e363ca9 (patch) | |
| tree | 62c6b3c4125c7c275f8e34402d8d94cc6848d6a9 | |
| parent | fc832965476d106fb3d5a6c9a43f5ff3166987b2 (diff) | |
| download | systemd-525c3e3438a7e4cd78b42f5f6ccdc3df1e363ca9.tar.gz | |
nspawn: fix a global-buffer-overflow
Whoopsie.
=================================================================
==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658
READ of size 8 at 0x00000051d0b8 thread T0
#0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347
#1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838
#2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905
#4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030
#6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198
#8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#10 0x4552fb in main ../src/nspawn/nspawn.c:5920
#11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284)
0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8
0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch
Shadow bytes around the buggy address:
0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9
0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3789231==ABORTING
| -rw-r--r-- | src/nspawn/nspawn-oci.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index 22ac1e2ebf..c79f9c62d7 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1829,6 +1829,7 @@ static int oci_seccomp_syscalls(const char *name, JsonVariant *v, JsonDispatchFl { "names", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct syscall_rule, names), JSON_MANDATORY }, { "action", JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), JSON_MANDATORY }, { "args", JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 }, + {} }; struct syscall_rule rule = { .action = UINT32_MAX, |