File PMIx-fix-potential-buffer-overflows-from-use-of-unpackmen_CVE-2020-27745.patch of Package slurm.25998
From c3142dd87e06621ff148791c3d2f298b5c0b3a81 Mon Sep 17 00:00:00 2001
From: Tim Wickberg <tim@schedmd.com>
Date: Thu, 12 Nov 2020 08:47:51 -0800
Subject: PMIx - fix potential buffer overflows from use of unpackmem().
CVE-2020-27745.
---
diff --git a/src/plugins/mpi/pmix/pmixp_coll_ring.c b/src/plugins/mpi/pmix/pmixp_coll_ring.c
index 20c54edfe6..64da0c9a6a 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_ring.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_ring.c
@@ -148,6 +148,7 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
uint32_t nprocs = 0;
uint32_t tmp;
int rc, i;
+ char *temp_ptr;
/* 1. extract the type of collective */
if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -168,13 +169,13 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
/* 3. get namespace/rank of particular process */
for (i = 0; i < (int)nprocs; i++) {
- rc = unpackmem(procs[i].nspace, &tmp, buf);
- if (SLURM_SUCCESS != rc) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (strlcpy(procs[i].nspace, temp_ptr,
+ PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
PMIXP_ERROR("Cannot unpack namespace for process #%d",
i);
return rc;
}
- procs[i].nspace[tmp] = '\0';
rc = unpack32(&tmp, buf);
procs[i].rank = tmp;
@@ -186,11 +187,14 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
}
/* 4. extract the ring info */
- if (SLURM_SUCCESS != (rc = unpackmem((char *)ring_hdr, &tmp, buf))) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (tmp != sizeof(pmixp_coll_ring_msg_hdr_t))) {
PMIXP_ERROR("Cannot unpack ring info");
return rc;
}
+ memcpy(ring_hdr, temp_ptr, sizeof(pmixp_coll_ring_msg_hdr_t));
+
return SLURM_SUCCESS;
}
diff --git a/src/plugins/mpi/pmix/pmixp_coll_tree.c b/src/plugins/mpi/pmix/pmixp_coll_tree.c
index b0990e92ce..4829c2286c 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_tree.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_tree.c
@@ -76,6 +76,7 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
uint32_t nprocs = 0;
uint32_t tmp;
int i, rc;
+ char *temp_ptr;
/* 1. extract the type of collective */
if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -96,13 +97,13 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
for (i = 0; i < (int)nprocs; i++) {
/* 3. get namespace/rank of particular process */
- rc = unpackmem(procs[i].nspace, &tmp, buf);
- if (SLURM_SUCCESS != rc) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (strlcpy(procs[i].nspace, temp_ptr,
+ PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
PMIXP_ERROR("Cannot unpack namespace for process #%d",
i);
return rc;
}
- procs[i].nspace[tmp] = '\0';
unsigned int tmp;
rc = unpack32(&tmp, buf);
--
2.29.2