From 7c555fee9d768805b29a16f3cb861a977ab58d75 Mon Sep 17 00:00:00 2001 From: Tony Hutter Date: Tue, 9 May 2023 17:55:19 -0700 Subject: [PATCH] pam: Fix "buffer overflow" in pam ZTS tests on F38 The pam ZTS tests were reporting a buffer overflow on F38, possibly due to F38 now setting _FORTIFY_SOURCE=3 by default. gdb and valgrind narrowed this down to a snprintf() buffer overflow in zfs_key_config_modify_session_counter(). I'm not clear why this particular snprintf() was being flagged as an overflow, but when I replaced it with an asprintf(), the test passed reliably. Reviewed-by: Brian Behlendorf Signed-off-by: Tony Hutter Closes #14802 Closes #14842 --- contrib/pam_zfs_key/pam_zfs_key.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/contrib/pam_zfs_key/pam_zfs_key.c b/contrib/pam_zfs_key/pam_zfs_key.c index 0db119382e..3137037707 100644 --- a/contrib/pam_zfs_key/pam_zfs_key.c +++ b/contrib/pam_zfs_key/pam_zfs_key.c @@ -548,16 +548,11 @@ zfs_key_config_modify_session_counter(pam_handle_t *pamh, errno); return (-1); } - size_t runtime_path_len = strlen(runtime_path); - size_t counter_path_len = runtime_path_len + 1 + 10; - char *counter_path = malloc(counter_path_len + 1); - if (!counter_path) { + + char *counter_path; + if (asprintf(&counter_path, "%s/%u", runtime_path, config->uid) == -1) return (-1); - } - counter_path[0] = 0; - strcat(counter_path, runtime_path); - snprintf(counter_path + runtime_path_len, counter_path_len, "/%d", - config->uid); + const int fd = open(counter_path, O_RDWR | O_CLOEXEC | O_CREAT | O_NOFOLLOW, S_IRUSR | S_IWUSR);