fix: write NUL terminator for MAM coherency signature#601
Open
hugo-hur wants to merge 3 commits into
Open
Conversation
Zero the buffer so every byte written to the MAM is defined. In particular the "LTFS\0" signature below is copied with arch_strncpy(...,"LTFS",5,4), which on Linux/Mac maps to strncpy(dst,"LTFS",4) and does NOT write the 5th (NUL) byte. tape_get_cart_coherency() validates the signature with strncmp(...,"LTFS",5), so leaving that byte as uninitialised stack made coherency validation depend on garbage: when non-zero, every mount fails with LTFS12062W and falls back to a full medium consistency check.
No change to the on-medium bytes; this hardens how the "LTFS" volume coherency signature is written and checked: - Write the signature with memcpy of the full "LTFS\0" (5 bytes) instead of arch_strncpy(..., 5, 4), which copied only 4 bytes and relied on the preceding memset to supply the NUL terminator. The NUL is now explicit. - Move the literal into TC_MAM_COHERENCY_SIGNATURE (tape_ops.h) so the writer and reader share one definition of the magic value and its compared length. - Add _Static_asserts that the page buffer is large enough to hold every fixed field offset that is written, and that the signature is 4 chars plus a NUL, catching regressions at compile time.
Author
|
Added some hardening on this part using C11 |
Apply the same compile-time bounds check used for the coherency page to the other two fixed-offset MAM buffers in tape.c: - tape_get_volume_change_reference reads a 32-bit VCR at offset 5, so assert the page holds at least 5 + sizeof(uint32_t) bytes. - tape_get_cart_volume_lock_status reads the status byte at offset TC_MAM_PAGE_HEADER_SIZE, so assert the page extends past the header. Both buffer sizes derive from page-size constants in tape_ops.h; the asserts fail the build if those constants are ever reduced below what the fixed-offset reads require, instead of silently reading past the end of the stack buffer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Zero the buffer so every byte written to the MAM is defined. In particular the "LTFS\0" signature below is copied with arch_strncpy(...,"LTFS",5,4), which on Linux/Mac maps to strncpy(dst,"LTFS",4) and does NOT write the 5th (NUL) byte. tape_get_cart_coherency() validates the signature with strncmp(...,"LTFS",5), so leaving that byte as uninitialised stack made coherency validation depend on garbage: when non-zero, every mount fails with LTFS12062W and falls back to a full medium consistency check.
Summary of changes
This pull request includes following changes or fixes.
Description
I saw random warnings on fallback to media consistency check. When digging into this it seems there is uninitialized memory issue which is simply fixed by memsetting the allocated mam coherency data array. After adding the null initialization the issue disappears.
Type of change
Checklist: