From owner-freebsd-security@freebsd.org Mon May 15 17:15:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37CF2D6ED3C for ; Mon, 15 May 2017 17:15:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D9681248 for ; Mon, 15 May 2017 17:15:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4FHFE5t022653 for ; Mon, 15 May 2017 17:15:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Mon, 15 May 2017 17:15:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-security@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 15 May 2017 17:28:54 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 17:15:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 --- Comment #5 from commit-hook@freebsd.org --- A commit references this bug: Author: kib Date: Mon May 15 17:14:53 UTC 2017 New revision: 318298 URL: https://svnweb.freebsd.org/changeset/base/318298 Log: Fix several buffer overflows in realpath(3). - The statement "left_len -=3D s - left;" does not take the slash into account if one was found. This results in the invariant "left[left_len] =3D=3D '\0'" being violated (and possible buffer overflows). The patch replaces the variable "s" with a size_t "next_token_len" for more clarity. - "slen" from readlink(2) can be 0 when encountering empty symlinks. Then, further down, "symlink[slen - 1]" underflows the buffer. When slen =3D=3D 0, realpath(3) should probably return ENOENT (http://austingroupbugs.net/view.php?id=3D825, https://lwn.net/Articles/551224/). Some other minor issues: - The condition "resolved_len >=3D PATH_MAX" cannot be true. - Similarly, "s - left >=3D sizeof(next_token)" cannot be true, as long as "sizeof(next_token) >=3D sizeof(left)". - Return ENAMETOOLONG when a resolved symlink from readlink(2) is too long for the symlink buffer (instead of just truncating it). - "resolved_len > 1" below the call to readlink(2) is always true as "strlcat(resolved, next_token, PATH_MAX);" always results in a string of length > 1. Also, "resolved[resolved_len - 1] =3D '\0';" is not needed; there can never be a trailing slash here. - The truncation check for "strlcat(symlink, left, sizeof(symlink));" should be against "sizeof(symlink)" (the third argument to strlcat) instead of "sizeof(left)". Submitted by: Jan Kokem??ller PR: 219154 MFC after: 2 weeks Changes: head/lib/libc/stdlib/realpath.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-security@freebsd.org Mon May 15 17:18:44 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E22A4D6EE2D for ; Mon, 15 May 2017 17:18:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D22131386 for ; Mon, 15 May 2017 17:18:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4FHIimC027452 for ; Mon, 15 May 2017 17:18:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Mon, 15 May 2017 17:18:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kib@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-security@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 15 May 2017 18:48:49 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 17:18:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 --- Comment #6 from Konstantin Belousov --- (In reply to commit-hook from comment #5) I committed the patch almost as is, the bits I omitted are asserts. Genera= lly, library must not kill the application. If you consider it is more appropri= ate, checks might be made into function errors, but I do not see much point. Still waiting for the tests. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-security@freebsd.org Thu May 18 05:12:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F04BD720EA for ; Thu, 18 May 2017 05:12:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EF3F510C6 for ; Thu, 18 May 2017 05:12:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4I5CFeF050567 for ; Thu, 18 May 2017 05:12:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Thu, 18 May 2017 05:12:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jan.kokemueller@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-security@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 18 May 2017 12:12:55 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 May 2017 05:12:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 --- Comment #7 from Jan Kokem=C3=BCller --- Created attachment 182684 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182684&action= =3Dedit More tests for realpath(3) Here is a patch that adds 'lib/libc/tests/gen/realpath2_test.c'. The first test triggers the out of bounds read of the 'left' array. It only fails when realpath.c is compiled with '-fsanitize=3Daddress' so I'm not su= re how useful this test is. I didn't manage to read more than one byte beyond the buffer or trigger some visible faulty behavior. The other test checks for ENOENT when running into an empty symlink. This matches NetBSD's realpath(3) semantics. Previously, empty symlinks were tre= ated like ".". --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-security@freebsd.org Thu May 18 13:50:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88F73D734B2 for ; Thu, 18 May 2017 13:50:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 71CF21FEF for ; Thu, 18 May 2017 13:50:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4IDop4M015865 for ; Thu, 18 May 2017 13:50:52 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Thu, 18 May 2017 13:50:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-security@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 18 May 2017 13:57:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 May 2017 13:50:52 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 --- Comment #8 from commit-hook@freebsd.org --- A commit references this bug: Author: kib Date: Thu May 18 13:49:53 UTC 2017 New revision: 318450 URL: https://svnweb.freebsd.org/changeset/base/318450 Log: Add tests for some cases in r318298. The first test triggers the out of bounds read of the 'left' array. It only fails when realpath.c is compiled with '-fsanitize=3Daddress'. The other test checks for ENOENT when running into an empty symlink. This matches NetBSD's realpath(3) semantics. Previously, empty symlinks were treated like ".". Submitted by: Jan Kokem??ller PR: 219154 MFC after: 2 weeks Changes: head/lib/libc/tests/gen/Makefile head/lib/libc/tests/gen/realpath2_test.c --=20 You are receiving this mail because: You are the assignee for the bug.=