Date: Sun, 6 Feb 2022 19:07:35 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org> Subject: Re: git: e17fede8ff46 - main - Fix too small sscanf output buffers in kbdmap Message-ID: <CAA4DB6F-CE70-413E-B39C-A44865066701@FreeBSD.org> In-Reply-To: <20220206154131.ym3wthb4jby4jz25@mutt-hbsd> References: <202202061526.216FQ0uH082668@gitrepo.freebsd.org> <20220206154131.ym3wthb4jby4jz25@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_3667A5D8-3CF2-47DF-86A9-AE2ACDD12B2D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 6 Feb 2022, at 16:41, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: >=20 > On Sun, Feb 06, 2022 at 03:26:00PM +0000, Dimitry Andric wrote: >> The branch main has been updated by dim: >>=20 >> URL: = https://cgit.FreeBSD.org/src/commit/?id=3De17fede8ff4629b5ff640ed660940b04= c70da0b6 >>=20 >> commit e17fede8ff4629b5ff640ed660940b04c70da0b6 >> Author: Dimitry Andric <dim@FreeBSD.org> >> AuthorDate: 2022-02-06 15:25:11 +0000 >> Commit: Dimitry Andric <dim@FreeBSD.org> >> CommitDate: 2022-02-06 15:25:25 +0000 >>=20 >> Fix too small sscanf output buffers in kbdmap >>=20 >> This fixes the following warnings from clang 14: >>=20 >> usr.sbin/kbdmap/kbdmap.c:241:16: error: 'sscanf' may overflow; = destination buffer in argument 5 has size 20, but the corresponding = specifier may require size 21 [-Werror,-Wfortify-source] >> &a, &b, buf); >> ^ ... > Would commits like this and d310bf3867b4168e57365196c3a31797c0538097 > normally cause SAs? Off-by-one bugs are typically considered security > bugs. In this particular case, you could make /usr/sbin/kdbmap (or its alias /usr/sbin/vidfont) crash, by deliberately corrupting /etc/rc.conf or the various INDEX.keymaps files under /usr/share. But what you would gain from this is unclear, none of these tools are setuid, and you already need to be root to edit those files. In case of /usr/sbin/bootparamd, you could make it crash on a deliberately corrupted /etc/bootparams file. Again, this tool is not setuid, and you can only edit the file if you are root anyway. -Dimitry --Apple-Mail=_3667A5D8-3CF2-47DF-86A9-AE2ACDD12B2D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCYgAOZwAKCRCwXqMKLiCW o+KaAJ9BgaAIKb07eILs3zN+o6s3AtkWgACfdTmbyFFZoQGxOdR09AoNL6g+6uQ= =dn3c -----END PGP SIGNATURE----- --Apple-Mail=_3667A5D8-3CF2-47DF-86A9-AE2ACDD12B2D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA4DB6F-CE70-413E-B39C-A44865066701>