Overview

File PMIx-fix-potential-buffer-overflows-from-use-of-unpackmen_CVE-2020-27745.patch of Package slurm.25998

From c3142dd87e06621ff148791c3d2f298b5c0b3a81 Mon Sep 17 00:00:00 2001
From: Tim Wickberg <tim@schedmd.com>
Date: Thu, 12 Nov 2020 08:47:51 -0800
Subject: PMIx - fix potential buffer overflows from use of unpackmem().

CVE-2020-27745.
---
diff --git a/src/plugins/mpi/pmix/pmixp_coll_ring.c b/src/plugins/mpi/pmix/pmixp_coll_ring.c
index 20c54edfe6..64da0c9a6a 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_ring.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_ring.c
@@ -148,6 +148,7 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
 	uint32_t nprocs = 0;
 	uint32_t tmp;
 	int rc, i;
+	char *temp_ptr;
 
 	/* 1. extract the type of collective */
 	if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -168,13 +169,13 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
 
 	/* 3. get namespace/rank of particular process */
 	for (i = 0; i < (int)nprocs; i++) {
-		rc = unpackmem(procs[i].nspace, &tmp, buf);
-		if (SLURM_SUCCESS != rc) {
+		if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+		    (strlcpy(procs[i].nspace, temp_ptr,
+			     PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
 			PMIXP_ERROR("Cannot unpack namespace for process #%d",
 				    i);
 			return rc;
 		}
-		procs[i].nspace[tmp] = '\0';
 
 		rc = unpack32(&tmp, buf);
 		procs[i].rank = tmp;
@@ -186,11 +187,14 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
 	}
 
 	/* 4. extract the ring info */
-	if (SLURM_SUCCESS != (rc = unpackmem((char *)ring_hdr, &tmp, buf))) {
+	if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+	    (tmp != sizeof(pmixp_coll_ring_msg_hdr_t))) {
 		PMIXP_ERROR("Cannot unpack ring info");
 		return rc;
 	}
 
+	memcpy(ring_hdr, temp_ptr, sizeof(pmixp_coll_ring_msg_hdr_t));
+
 	return SLURM_SUCCESS;
 }
 
diff --git a/src/plugins/mpi/pmix/pmixp_coll_tree.c b/src/plugins/mpi/pmix/pmixp_coll_tree.c
index b0990e92ce..4829c2286c 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_tree.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_tree.c
@@ -76,6 +76,7 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
 	uint32_t nprocs = 0;
 	uint32_t tmp;
 	int i, rc;
+	char *temp_ptr;
 
 	/* 1. extract the type of collective */
 	if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -96,13 +97,13 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
 
 	for (i = 0; i < (int)nprocs; i++) {
 		/* 3. get namespace/rank of particular process */
-		rc = unpackmem(procs[i].nspace, &tmp, buf);
-		if (SLURM_SUCCESS != rc) {
+		if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+		    (strlcpy(procs[i].nspace, temp_ptr,
+			     PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
 			PMIXP_ERROR("Cannot unpack namespace for process #%d",
 				    i);
 			return rc;
 		}
-		procs[i].nspace[tmp] = '\0';
 
 		unsigned int tmp;
 		rc = unpack32(&tmp, buf);
-- 
2.29.2
openSUSE Build Service is sponsored by
Places