From owner-freebsd-bugs@FreeBSD.ORG Thu Dec 27 23:00:09 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8160216A46C for ; Thu, 27 Dec 2007 23:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C0AA13C459 for ; Thu, 27 Dec 2007 23:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lBRN09pp088320 for ; Thu, 27 Dec 2007 23:00:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lBRN09SK088319; Thu, 27 Dec 2007 23:00:09 GMT (envelope-from gnats) Resent-Date: Thu, 27 Dec 2007 23:00:09 GMT Resent-Message-Id: <200712272300.lBRN09SK088319@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Michael Plass Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81F8316A419 for ; Thu, 27 Dec 2007 22:59:54 +0000 (UTC) (envelope-from mfp49_freebsd@plass-family.net) Received: from plass-family.net (adsl-68-127-22-237.dsl.pltn13.pacbell.net [68.127.22.237]) by mx1.freebsd.org (Postfix) with ESMTP id 6773F13C45A for ; Thu, 27 Dec 2007 22:59:54 +0000 (UTC) (envelope-from mfp49_freebsd@plass-family.net) Received: from nat.plass-family.net (nat.plass-family.net [68.127.22.235]) by plass-family.net (Postfix) with ESMTP id 5308222858; Thu, 27 Dec 2007 14:48:07 -0800 (PST) Received: by shuttle.plass-family.net (Postfix, from userid 3076) id 40C8F1702A; Thu, 27 Dec 2007 14:48:07 -0800 (PST) Message-Id: <20071227224807.40C8F1702A@shuttle.plass-family.net> Date: Thu, 27 Dec 2007 14:48:07 -0800 (PST) From: Michael Plass To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: mfp49_freebsd@plass-family.net Subject: kern/119079: [patch] DDB input routine reads/writes beyond end of buffer X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Michael Plass List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Dec 2007 23:00:09 -0000 >Number: 119079 >Category: kern >Synopsis: [patch] DDB input routine reads/writes beyond end of buffer >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 27 23:00:09 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Michael Plass >Release: FreeBSD 7.0-PRERELEASE amd64 >Organization: PARC >Environment: System: FreeBSD shuttle.plass-family.net 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #20: Thu Dec 27 13:31:57 PST 2007 root@shuttle.plass-family.net:/usr/obj/usr/src/sys/FASTGENERIC amd64 >Description: The ddb input routine db_readline() includes the terminating newline and NUL characters in the returned buffer, but it does not take this into account when checking against the caller-supplied limit. >How-To-Repeat: Enter DDB and type enough characters to fill the buffer (120 characters). Hit enter, and then use the up-arrow key to scroll back through history. Note that it picks up garbage past the end of the original line. >Fix: The patch checks the provided lsize and decreases by two to leave room for the newline and NUL; it also clears these two characters, because some of the code paths don't provide the terminating NUL. (The patch also corrects a problem in history redraw when the cursor is not at the end of the line while scrolling back though history.) --- db_input_bufoverflow.patch begins here --- Index: db_input.c =================================================================== RCS file: /home/ncvs/src/sys/ddb/db_input.c,v retrieving revision 1.37 diff -u -3 -r1.37 db_input.c --- db_input.c 25 Dec 2007 23:06:51 -0000 1.37 +++ db_input.c 27 Dec 2007 22:04:40 -0000 @@ -250,7 +250,7 @@ } hist_redraw: - db_putnchars(BACKUP, db_le - db_lbuf_start); + db_putnchars(BACKUP, db_lc - db_lbuf_start); db_putnchars(BLANK, db_le - db_lbuf_start); db_putnchars(BACKUP, db_le - db_lbuf_start); db_le = index(db_lbuf_start, '\0'); @@ -302,6 +302,10 @@ char * lstart; int lsize; { + if (lsize < 3) + return (0); + lstart[lsize - 1] = lstart[lsize - 2] = 0; + lsize -= 2; /* allow space for newline and terminating NUL */ if (lsize != db_lhistlsize) { /* * (Re)initialize input line history. Throw away any --- db_input_bufoverflow.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: