From owner-freebsd-bugs@FreeBSD.ORG  Wed Sep 14 20:20:23 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E4E8416A420
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 14 Sep 2005 20:20:22 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 19CAF43D48
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 14 Sep 2005 20:20:22 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8EKKLSJ078869
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 14 Sep 2005 20:20:21 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8EKKLBP078868;
	Wed, 14 Sep 2005 20:20:21 GMT (envelope-from gnats)
Resent-Date: Wed, 14 Sep 2005 20:20:21 GMT
Resent-Message-Id: <200509142020.j8EKKLBP078868@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Trevor Blackwell <tlb@tlb.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BFB1916A41F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 14 Sep 2005 20:13:23 +0000 (GMT) (envelope-from tlb@tlb.org)
Received: from anybots.com (w047.z064220186.sjc-ca.dsl.cnc.net [64.220.186.47])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7E5E943D49
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 14 Sep 2005 20:13:23 +0000 (GMT) (envelope-from tlb@tlb.org)
Received: (qmail 71520 invoked from network); 14 Sep 2005 20:13:23 -0000
Received: from unknown (HELO ?10.10.10.20?) (10.10.10.20)
	by 10.10.10.20 with SMTP; 14 Sep 2005 20:13:23 -0000
Message-Id: <1126728802.42486.3239.camel@lab>
Date: Wed, 14 Sep 2005 13:13:22 -0700
From: Trevor Blackwell <tlb@tlb.org>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: 
Subject: bin/86135: Fwd: Latent buffer overflow in getcwd
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2005 20:20:23 -0000


>Number:         86135
>Category:       bin
>Synopsis:       Latent buffer overflow in getcwd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 14 20:20:21 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Trevor Blackwell
>Release:        FreeBSD 5.4-RELEASE-p6 i386
>Organization:
Anybots Inc
>Environment:
System: FreeBSD tlb.anybots.com 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #0: Mon Sep 12 17:14:32 PDT 2005 root@tlb.anybots.com:/usr/obj/usr/src/sys/TLB i386


>Description:

The libc getcwd has a latent bug, where it allocates a buffer of 1020 bytes and assumes 
it to have MAXPATHLEN (=1024) bytes. Normal modern mallocs will allocate 1024 bytes
anyway, but a different malloc could cause an overrun, and changing MAXPATHLEN could cause
trouble, and it'll cause trouble with debugging mallocs.

Allocating 1024-4 was an optimization assuming the existence of a malloc header, which
isn't the case nowadays. The most important think is that eup = up + upsize, but the most
robust plan is to allocate MAXPATHLEN bytes in case that changes.

>How-To-Repeat:
       It wouldn't be easy to cause an actual corruption

>Fix:

Index: getcwd.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/gen/getcwd.c,v
retrieving revision 1.25
diff -c -r1.25 getcwd.c
*** getcwd.c    29 Oct 2003 10:45:01 -0000      1.25
--- getcwd.c    14 Sep 2005 18:25:48 -0000
***************
*** 115,123 ****
         * Should always be enough (it's 340 levels).  If it's not, allocate
         * as necessary.  Special case the first stat, it's ".", not "..".
         */
!       if ((up = malloc(upsize = 1024 - 4)) == NULL)
                goto err;
!       eup = up + MAXPATHLEN;
        bup = up;
        up[0] = '.';
        up[1] = '\0';
--- 115,123 ----
         * Should always be enough (it's 340 levels).  If it's not, allocate
         * as necessary.  Special case the first stat, it's ".", not "..".
         */
!       if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
                goto err;
!       eup = up + upsize;
        bup = up;
        up[0] = '.';
        up[1] = '\0';



>Release-Note:
>Audit-Trail:
>Unformatted: