#3439 accepted defect

buffer overflow in rtems_rfs_bitmap_create_search()

Reported by: waltl Owned by: Chris Johns
Priority: normal Milestone:
Component: fs/rfs Version:
Severity: normal Keywords:
Cc: Blocked By:
Blocking:

Description

I am encountering a buffer overrun in rtems_rfs_bitmap_create_search(). It seems that whenever the bitmap uses the last bit of its search_map (i.e. (control->size + 31) % 32 == 32)), the loop will write to the word one beyond the end of search_map.

Attached is a simple patch that fixes the problem.

Attachments (1)

0001-Bitmap-bug-fix.patch (3.4 KB) - added by waltl on Jun 4, 2018 at 7:25:10 PM.
updated patch fix with test

Download all attachments as: .zip

Change History (6)

comment:1 Changed on May 30, 2018 at 5:15:06 PM by waltl

Component: adminfs/rfs

comment:2 Changed on Jun 4, 2018 at 1:42:30 PM by Gedare Bloom

What version is this affecting? The patch is a bit outdated with respect to master branch. Do you have a test case by any chance?

comment:3 Changed on Jun 4, 2018 at 1:53:44 PM by Gedare Bloom

Owner: set to Chris Johns
Status: newassigned

Changed on Jun 4, 2018 at 7:25:10 PM by waltl

Attachment: 0001-Bitmap-bug-fix.patch added

updated patch fix with test

comment:4 Changed on Jun 4, 2018 at 7:25:49 PM by waltl

I am using a snapshot of RTEMS provided by a third party, based on commit #821acce on master. The bug should still be there on the tip of master and on 4.11 (and probably 4.10 also, but that version seems to be missing another patch).

I've updated the patch to master, and also added a test.

comment:5 Changed on Jun 6, 2018 at 3:31:06 AM by Chris Johns

Status: assignedaccepted
Note: See TracTickets for help on using tickets.