We allocate some buffers with a size that's ultimately dictated by on-disk metadata. This metadata can be incorrect and state is supposed to handle that by storing the data redundantly in three buckets.
Due to the use of x-family functions, we triggered a panic though, which made an unfortunate bitflip an irrecoverable error. Fix this by switching the allocations in question to non-panicking ones and propagating the error. This issue has been detected by libfuzzer. Signed-off-by: Ahmad Fatoum <[email protected]> --- common/state/backend_bucket_circular.c | 6 ++++-- common/state/backend_bucket_direct.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/common/state/backend_bucket_circular.c b/common/state/backend_bucket_circular.c index 6b5873aa9af1..0ad4e9f97275 100644 --- a/common/state/backend_bucket_circular.c +++ b/common/state/backend_bucket_circular.c @@ -265,7 +265,7 @@ static int state_backend_bucket_circular_read(struct state_backend_storage_bucke offset = circ->write_area - read_len; } - buf = xmalloc(read_len); + buf = malloc(read_len); if (!buf) return -ENOMEM; @@ -311,7 +311,9 @@ static int state_backend_bucket_circular_write(struct state_backend_storage_buck * We need zero initialization so that our data comparisons don't show * random changes */ - write_buf = xzalloc(written_length); + write_buf = calloc(1, written_length); + if (!write_buf) + return -ENOMEM; memcpy(write_buf, buf, len); meta = (struct state_backend_storage_bucket_circular_meta *) diff --git a/common/state/backend_bucket_direct.c b/common/state/backend_bucket_direct.c index 03c752d6fe41..6e4ce5ac26df 100644 --- a/common/state/backend_bucket_direct.c +++ b/common/state/backend_bucket_direct.c @@ -92,7 +92,7 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket } - buf = xmalloc(read_len); + buf = malloc(read_len); if (!buf) return -ENOMEM; -- 2.39.5
