Site Navigation

Date:      Sun, 04 Jan 2009 19:06:18 +0100
From:      Christoph Mallon <christoph.mallon@gmx.de>
To:        "David E. O'Brien" <obrien@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r186504 - head/sbin/mount
Message-ID:  <4960FA9A.1090509@gmx.de>
In-Reply-To: <200812262254.mBQMsrbR052676@svn.freebsd.org>
References:  <200812262254.mBQMsrbR052676@svn.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.
--------------040804020300050601020108
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi David,

I'm pretty sure $SUPERNATURAL_BEING_OF_YOUR_CHOICE killed a kitten for 
the ugly hack you added to mount. The moment you overflow a buffer, you 
are in no man's land and there's no escape. I appended a patch, which 
solves this issue once and for all: The argv array gets dynamically 
expanded, when its limit is reached.
Please - for all kittens out there - commit this patch.

	Christoph


David E. O'Brien schrieb:
> Author: obrien
> Date: Fri Dec 26 22:54:53 2008
> New Revision: 186504
> URL: http://svn.freebsd.org/changeset/base/186504
> 
> Log:
>   Make the sub-'argc' static to make it harder to overwrite thru a buffer
>   overflow.
> 
> Modified:
>   head/sbin/mount/mount.c
> 
> Modified: head/sbin/mount/mount.c
> ==============================================================================
> --- head/sbin/mount/mount.c	Fri Dec 26 22:47:11 2008	(r186503)
> +++ head/sbin/mount/mount.c	Fri Dec 26 22:54:53 2008	(r186504)
> @@ -503,9 +503,10 @@ int
>  mountfs(const char *vfstype, const char *spec, const char *name, int flags,
>  	const char *options, const char *mntopts)
>  {
> +	static int argc;
>  	char *argv[MAX_ARGS];
>  	struct statfs sf;
> -	int argc, i, ret;
> +	int i, ret;
>  	char *optbuf, execname[PATH_MAX], mntpath[PATH_MAX];
>  
>  	/* resolve the mountpoint with realpath(3) */
> _______________________________________________
> svn-src-all@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-src-all
> To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
> 


--------------040804020300050601020108
Content-Type: text/plain;
 name="mount.diff"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="mount.diff"

SW5kZXg6IG1vdW50LmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gbW91bnQuYwkoUmV2aXNpb24gMTg2
NzQwKQorKysgbW91bnQuYwkoQXJiZWl0c2tvcGllKQpAQCAtNjgsMTYgKzY4LDE3IEBACiAj
ZGVmaW5lIE1PVU5UX01FVEFfT1BUSU9OX0ZTVEFCCQkiZnN0YWIiCiAjZGVmaW5lIE1PVU5U
X01FVEFfT1BUSU9OX0NVUlJFTlQJImN1cnJlbnQiCiAKLSNkZWZpbmUJTUFYX0FSR1MJCQkx
MDAKLQogaW50IGRlYnVnLCBmc3RhYl9zdHlsZSwgdmVyYm9zZTsKK3N0YXRpYyBjaGFyICoq
bW50X2FyZ3Y7CitzdGF0aWMgaW50IG1udF9hcmd2X3NpemU7CitzdGF0aWMgaW50IG1udF9h
cmdjOwogCiBjaGFyICAgKmNhdG9wdChjaGFyICosIGNvbnN0IGNoYXIgKik7CiBzdHJ1Y3Qg
c3RhdGZzICpnZXRtbnRwdChjb25zdCBjaGFyICopOwogaW50CWhhc29wdChjb25zdCBjaGFy
ICosIGNvbnN0IGNoYXIgKik7CiBpbnQJaXNtb3VudGVkKHN0cnVjdCBmc3RhYiAqLCBzdHJ1
Y3Qgc3RhdGZzICosIGludCk7CiBpbnQJaXNyZW1vdW50YWJsZShjb25zdCBjaGFyICopOwot
dm9pZAltYW5nbGUoY2hhciAqLCBpbnQgKiwgY2hhciAqW10pOworc3RhdGljIHZvaWQJbWFu
Z2xlKGNoYXIgKik7CiBjaGFyICAgKnVwZGF0ZV9vcHRpb25zKGNoYXIgKiwgY2hhciAqLCBp
bnQpOwogaW50CW1vdW50ZnMoY29uc3QgY2hhciAqLCBjb25zdCBjaGFyICosIGNvbnN0IGNo
YXIgKiwKIAkJCWludCwgY29uc3QgY2hhciAqLCBjb25zdCBjaGFyICopOwpAQCAtNDk5LDEy
ICs1MDAsMjIgQEAKIAlyZXR1cm4gKGZvdW5kKTsKIH0KIAorc3RhdGljIHZvaWQKK2FwcGVu
ZF9hcmd2KGNoYXIgKmFyZykKK3sKKwlpZiAobW50X2FyZ2MgPT0gbW50X2FyZ3Zfc2l6ZSkg
eworCQltbnRfYXJndl9zaXplID0gbW50X2FyZ3Zfc2l6ZSA9PSAwID8gMTYgOiBtbnRfYXJn
dl9zaXplICogMjsKKwkJbW50X2FyZ3YgPSByZWFsbG9jKG1udF9hcmd2LCBzaXplb2YoKm1u
dF9hcmd2KSAqIG1udF9hcmd2X3NpemUpOworCQlpZiAobW50X2FyZ3YgPT0gTlVMTCkKKwkJ
CWVycngoMSwgInJlYWxsb2MgZmFpbGVkIik7CisJfQorCW1udF9hcmd2W21udF9hcmdjKytd
ID0gYXJnOworfQorCiBpbnQKIG1vdW50ZnMoY29uc3QgY2hhciAqdmZzdHlwZSwgY29uc3Qg
Y2hhciAqc3BlYywgY29uc3QgY2hhciAqbmFtZSwgaW50IGZsYWdzLAogCWNvbnN0IGNoYXIg
Km9wdGlvbnMsIGNvbnN0IGNoYXIgKm1udG9wdHMpCiB7Ci0Jc3RhdGljIGludCBhcmdjOwot
CWNoYXIgKmFyZ3ZbTUFYX0FSR1NdOwogCXN0cnVjdCBzdGF0ZnMgc2Y7CiAJaW50IGksIHJl
dDsKIAljaGFyICpvcHRidWYsIGV4ZWNuYW1lW1BBVEhfTUFYXSwgbW50cGF0aFtQQVRIX01B
WF07CkBAIC01NDIsMzIgKzU1MywyNyBAQAogCS8qIENvbnN0cnVjdCB0aGUgbmFtZSBvZiB0
aGUgYXBwcm9wcmlhdGUgbW91bnQgY29tbWFuZCAqLwogCSh2b2lkKXNucHJpbnRmKGV4ZWNu
YW1lLCBzaXplb2YoZXhlY25hbWUpLCAibW91bnRfJXMiLCB2ZnN0eXBlKTsKIAotCWFyZ2Mg
PSAwOwotCWFyZ3ZbYXJnYysrXSA9IGV4ZWNuYW1lOwotCW1hbmdsZShvcHRidWYsICZhcmdj
LCBhcmd2KTsKLQlhcmd2W2FyZ2MrK10gPSBzdHJkdXAoc3BlYyk7Ci0JYXJndlthcmdjKytd
ID0gc3RyZHVwKG5hbWUpOwotCWFyZ3ZbYXJnY10gPSBOVUxMOworCWFwcGVuZF9hcmd2KGV4
ZWNuYW1lKTsKKwltYW5nbGUob3B0YnVmKTsKKwlhcHBlbmRfYXJndihzdHJkdXAoc3BlYykp
OworCWFwcGVuZF9hcmd2KHN0cmR1cChuYW1lKSk7CisJYXBwZW5kX2FyZ3YoTlVMTCk7CiAK
LQlpZiAoTUFYX0FSR1MgPD0gYXJnYyApCi0JCWVycngoMSwgIkNhbm5vdCBwcm9jZXNzIG1v
cmUgdGhhbiAlZCBtb3VudCBhcmd1bWVudHMiLAotCQkgICAgTUFYX0FSR1MpOwotCiAJaWYg
KGRlYnVnKSB7CiAJCWlmICh1c2VfbW91bnRwcm9nKHZmc3R5cGUpKQogCQkJcHJpbnRmKCJl
eGVjOiBtb3VudF8lcyIsIHZmc3R5cGUpOwogCQllbHNlCiAJCQlwcmludGYoIm1vdW50IC10
ICVzIiwgdmZzdHlwZSk7Ci0JCWZvciAoaSA9IDE7IGkgPCBhcmdjOyBpKyspCi0JCQkodm9p
ZClwcmludGYoIiAlcyIsIGFyZ3ZbaV0pOworCQlmb3IgKGkgPSAxOyBpIDwgbW50X2FyZ2M7
IGkrKykKKwkJCSh2b2lkKXByaW50ZigiICVzIiwgbW50X2FyZ3ZbaV0pOwogCQkodm9pZClw
cmludGYoIlxuIik7CiAJCXJldHVybiAoMCk7CiAJfQogCiAJaWYgKHVzZV9tb3VudHByb2co
dmZzdHlwZSkpIHsKLQkJcmV0ID0gZXhlY19tb3VudHByb2cobmFtZSwgZXhlY25hbWUsIGFy
Z3YpOworCQlyZXQgPSBleGVjX21vdW50cHJvZyhuYW1lLCBleGVjbmFtZSwgbW50X2FyZ3Yp
OwogCX0gZWxzZSB7Ci0JCXJldCA9IG1vdW50X2ZzKHZmc3R5cGUsIGFyZ2MsIGFyZ3YpOwor
CQlyZXQgPSBtb3VudF9mcyh2ZnN0eXBlLCBtbnRfYXJnYywgbW50X2FyZ3YpOwogCX0KIAog
CWZyZWUob3B0YnVmKTsKQEAgLTY2OSwxMyArNjc1LDExIEBACiAJcmV0dXJuIChjcCk7CiB9
CiAKLXZvaWQKLW1hbmdsZShjaGFyICpvcHRpb25zLCBpbnQgKmFyZ2NwLCBjaGFyICphcmd2
W10pCitzdGF0aWMgdm9pZAorbWFuZ2xlKGNoYXIgKm9wdGlvbnMpCiB7CiAJY2hhciAqcCwg
KnM7Ci0JaW50IGFyZ2M7CiAKLQlhcmdjID0gKmFyZ2NwOwogCWZvciAocyA9IG9wdGlvbnM7
IChwID0gc3Ryc2VwKCZzLCAiLCIpKSAhPSBOVUxMOykKIAkJaWYgKCpwICE9ICdcMCcpIHsK
IAkJCWlmIChzdHJjbXAocCwgIm5vYXV0byIpID09IDApIHsKQEAgLTcwNywxOSArNzExLDE3
IEBACiAJCQkgICAgc2l6ZW9mKGdyb3VwcXVvdGFlcSkgLSAxKSA9PSAwKSB7CiAJCQkJY29u
dGludWU7CiAJCQl9IGVsc2UgaWYgKCpwID09ICctJykgewotCQkJCWFyZ3ZbYXJnYysrXSA9
IHA7CisJCQkJYXBwZW5kX2FyZ3YocCk7CiAJCQkJcCA9IHN0cmNocihwLCAnPScpOwogCQkJ
CWlmIChwICE9IE5VTEwpIHsKIAkJCQkJKnAgPSAnXDAnOwotCQkJCQlhcmd2W2FyZ2MrK10g
PSBwKzE7CisJCQkJCWFwcGVuZF9hcmd2KHAgKyAxKTsKIAkJCQl9CiAJCQl9IGVsc2Ugewot
CQkJCWFyZ3ZbYXJnYysrXSA9IHN0cmR1cCgiLW8iKTsKLQkJCQlhcmd2W2FyZ2MrK10gPSBw
OworCQkJCWFwcGVuZF9hcmd2KHN0cmR1cCgiLW8iKSk7CisJCQkJYXBwZW5kX2FyZ3YocCk7
CiAJCQl9CiAJCX0KLQotCSphcmdjcCA9IGFyZ2M7CiB9CiAKIAo=
--------------040804020300050601020108--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4960FA9A.1090509>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact