There is a buffer overflow in dscr_inherit_test.c test. In main(), strncpy()'s
third argument is the length of the source, not the size of the destination
buffer, which makes strncpy() behaves like strcpy(), causing a buffer overflow
if argv[0] is bigger than LEN_MAX (100).
This patch allocates 'prog' according to the argv[0] length, avoiding LEN_MAX
restriction.
CC: Segher Boessenkool <seg...@kernel.crashing.org>
CC: Anshuman Khandual <khand...@linux.vnet.ibm.com>
Signed-off-by: Breno Leitao <lei...@debian.org>
---
tools/testing/selftests/powerpc/dscr/dscr_inherit_exec_test.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/powerpc/dscr/dscr_inherit_exec_test.c
b/tools/testing/selftests/powerpc/dscr/dscr_inherit_exec_test.c
index 08a8b95e3bc1..ecac4900c7dd 100644
--- a/tools/testing/selftests/powerpc/dscr/dscr_inherit_exec_test.c
+++ b/tools/testing/selftests/powerpc/dscr/dscr_inherit_exec_test.c
@@ -19,7 +19,7 @@
*/
#include "dscr.h"
-static char prog[LEN_MAX];
+static char *prog;
static void do_exec(unsigned long parent_dscr)
{
@@ -104,6 +104,13 @@ int main(int argc, char *argv[])
exit(1);
}
- strncpy(prog, argv[0], strlen(argv[0]));
+ prog = malloc(strlen(argv[0]) + 1);
+ if (prog == NULL) {
+ fprintf(stderr, "Unable to allocate enough memory\n");
+ exit(1);
+ }
+
+ strcpy(prog, argv[0]);
+
return test_harness(dscr_inherit_exec, "dscr_inherit_exec_test");
}
--
2.16.3
