Date: Thu, 27 Dec 2007 14:48:07 -0800 (PST) From: Michael Plass <mfp49_freebsd@plass-family.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mfp49_freebsd@plass-family.net Subject: kern/119079: [patch] DDB input routine reads/writes beyond end of buffer Message-ID: <20071227224807.40C8F1702A@shuttle.plass-family.net> Resent-Message-ID: <200712272300.lBRN09SK088319@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 119079
>Category: kern
>Synopsis: [patch] DDB input routine reads/writes beyond end of buffer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 27 23:00:09 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Michael Plass
>Release: FreeBSD 7.0-PRERELEASE amd64
>Organization:
PARC
>Environment:
System: FreeBSD shuttle.plass-family.net 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #20: Thu Dec 27 13:31:57 PST 2007 root@shuttle.plass-family.net:/usr/obj/usr/src/sys/FASTGENERIC amd64
>Description:
The ddb input routine db_readline() includes the terminating newline
and NUL characters in the returned buffer, but it does not take this
into account when checking against the caller-supplied limit.
>How-To-Repeat:
Enter DDB and type enough characters to fill the buffer
(120 characters). Hit enter, and then use the up-arrow key to
scroll back through history. Note that it picks up garbage past the
end of the original line.
>Fix:
The patch checks the provided lsize and decreases by two to leave
room for the newline and NUL; it also clears these two characters,
because some of the code paths don't provide the terminating NUL.
(The patch also corrects a problem in history redraw when the cursor
is not at the end of the line while scrolling back though history.)
--- db_input_bufoverflow.patch begins here ---
Index: db_input.c
===================================================================
RCS file: /home/ncvs/src/sys/ddb/db_input.c,v
retrieving revision 1.37
diff -u -3 -r1.37 db_input.c
--- db_input.c 25 Dec 2007 23:06:51 -0000 1.37
+++ db_input.c 27 Dec 2007 22:04:40 -0000
@@ -250,7 +250,7 @@
}
hist_redraw:
- db_putnchars(BACKUP, db_le - db_lbuf_start);
+ db_putnchars(BACKUP, db_lc - db_lbuf_start);
db_putnchars(BLANK, db_le - db_lbuf_start);
db_putnchars(BACKUP, db_le - db_lbuf_start);
db_le = index(db_lbuf_start, '\0');
@@ -302,6 +302,10 @@
char * lstart;
int lsize;
{
+ if (lsize < 3)
+ return (0);
+ lstart[lsize - 1] = lstart[lsize - 2] = 0;
+ lsize -= 2; /* allow space for newline and terminating NUL */
if (lsize != db_lhistlsize) {
/*
* (Re)initialize input line history. Throw away any
--- db_input_bufoverflow.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071227224807.40C8F1702A>