Date: Tue, 25 Jan 2022 01:40:14 GMT From: Jessica Clarke <jrtc27@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 5d10ed57e655 - stable/13 - libc: Fix "harmless" iconv one-byte overread Message-ID: <202201250140.20P1eE9j048257@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=5d10ed57e655a2d5923f243955291da219c07a42 commit 5d10ed57e655a2d5923f243955291da219c07a42 Author: Jessica Clarke <jrtc27@FreeBSD.org> AuthorDate: 2021-12-21 22:47:38 +0000 Commit: Jessica Clarke <jrtc27@FreeBSD.org> CommitDate: 2022-01-24 23:59:47 +0000 libc: Fix "harmless" iconv one-byte overread Checking there are still bytes left must be done before dereferencing the pointer, not the other way round. This is harmless on traditional architectures since the result will immediately be thrown away, and all callers are in separate translation units so there is no potential for optimising based on this out-of-bounds read. However, on CHERI, pointers are bounded, and so this will trap if fed a string that does not have a NUL within the first len bytes. Found by: CHERI Reviewed by: brooks (cherry picked from commit 6d5297569e70eb71eeb7ae5278a165d4ffb50874) --- lib/libc/iconv/citrus_bcs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libc/iconv/citrus_bcs.c b/lib/libc/iconv/citrus_bcs.c index b8484a0d793e..cd88ea7fe2fd 100644 --- a/lib/libc/iconv/citrus_bcs.c +++ b/lib/libc/iconv/citrus_bcs.c @@ -109,7 +109,7 @@ const char * _citrus_bcs_skip_ws_len(const char * __restrict p, size_t * __restrict len) { - while (*p && *len > 0 && _bcs_isspace(*p)) { + while (*len > 0 && *p && _bcs_isspace(*p)) { p++; (*len)--; } @@ -124,7 +124,7 @@ const char * _citrus_bcs_skip_nonws_len(const char * __restrict p, size_t * __restrict len) { - while (*p && *len > 0 && !_bcs_isspace(*p)) { + while (*len > 0 && *p && !_bcs_isspace(*p)) { p++; (*len)--; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202201250140.20P1eE9j048257>