Date: Sun, 24 Jan 2016 01:20:13 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206552] [libc] Possible buffer overflow after flushing line-buffered files when only partial data was written Message-ID: <bug-206552-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206552 Bug ID: 206552 Summary: [libc] Possible buffer overflow after flushing line-buffered files when only partial data was written Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: mccoy@doctor.com Created attachment 166034 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=166034&action=edit A test program that demonstrates the buffer overflow Please see attached file evil.c for a possible scenario where it's possible to trigger buffer overflow. It uses a somewhat contrived example of non-blocking pipes as an underlying file descriptor, mainly because it's easy to trigger (partially) failed writes. The defect can be located in the code /usr/src/lib/libc/stdio/fflush.c and function __sflush. Line-buffered files where write(s) has partially succeeded will have their internal write pointer increased, but not getting a corresponding write space decrease. (so, the defect is: if fp is a FILE *, then fp->_p is increased but fp->_w is NOT decreased in this situation) Sample output on my FREEBSD 10.2-RELEASE-p7 amd64 machine: zsh 1311 % cc evil.c -o evil && ./evil rc from fread(1): 1 rc from fwrite(1): 1 rc from fwrite(1021): 1021 rc from fflush: -1 rc from fwrite(1): 1 rc from fwrite(4): 4 Canary overwritten: 97 65 98 66 -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206552-8>