Date: Tue, 12 Jan 2016 22:40:10 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206177] Out-of-bounds read in wcsncat(3) Message-ID: <bug-206177-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206177 Bug ID: 206177 Summary: Out-of-bounds read in wcsncat(3) Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: cherepan@mccme.ru Created attachment 165467 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D165467&action= =3Dedit Patch The wcsncat function could read several bytes behind the end of its input buffer. This could lead to a crash if the buffer happens to immediately pre= cede an unmapped page. According to C11, 7.29.4.3.2, wcsncat(s1, s2, n) will append s2 to s1 but w= ill stop as soon as null wide char is met or n wide chars are read. In particul= ar, s2 is not required to be a null-terminated wide string. (The man page[1] for wcsncat refers to the man page[2] for strncat which erroneously talks about strings only. I filed [3] about it.) When s2 is an array containing exactly n non-null wide chars, FreeBSD implementation of wcsncat will read one extra wide char. The code[4] for traversing the source array: 50 r =3D s2; 51 while (*r && n) { 52 *q++ =3D *r++; 53 n--; 54 } "n" in the loop controlling expression makes sure that the loop is terminat= ed after n chars are copied but the dereference in "*r" happens before the "n" check. For example, there would be one dereference when n=3D0. Calling the function as wcsncat(s1, NULL, 0) will crash. (Formally speaking, passing NULL as s2 is invalid in C11, a valid crashing testcase is attached= .) To fix it, it's enough to swap the checks in the while loop (patch attached= ). Or all the code could be changed to match strncat. The issue has security consequences but the function is rarely used so seve= rity seems very low. Other BSDs are affected. [1] https://svnweb.freebsd.org/base/head/lib/libc/string/wmemchr.3?revision=3D2= 51069&view=3Dmarkup [2] https://svnweb.freebsd.org/base/head/lib/libc/string/strcat.3?revision=3D26= 2890&view=3Dmarkup [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206176 [4] https://svnweb.freebsd.org/base/head/lib/libc/string/wcsncat.c?revision=3D1= 88080&view=3Dmarkup#l50 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206177-8>