Date: Wed, 16 Jun 2021 16:21:03 GMT From: Alex Richardson <arichardson@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 1a2f06d0f290 - main - vis(3): avoid out-of-bounds stack buffer reads Message-ID: <202106161621.15GGL3BS007088@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by arichardson: URL: https://cgit.FreeBSD.org/src/commit/?id=1a2f06d0f2905c9a18340b377cbbe772f2ca6844 commit 1a2f06d0f2905c9a18340b377cbbe772f2ca6844 Author: Alex Richardson <arichardson@FreeBSD.org> AuthorDate: 2021-06-16 15:27:13 +0000 Commit: Alex Richardson <arichardson@FreeBSD.org> CommitDate: 2021-06-16 15:27:13 +0000 vis(3): avoid out-of-bounds stack buffer reads I found this while running kdump(1) on a CheriBSD system due to a capability length violation when printing the /etc/libmap.conf read() system call: it crashed immediately after printing the first line. Found by: CHERI Reviewed By: jhb MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D30771 --- contrib/libc-vis/vis.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/libc-vis/vis.c b/contrib/libc-vis/vis.c index 21c07b70619d..c43186a44b51 100644 --- a/contrib/libc-vis/vis.c +++ b/contrib/libc-vis/vis.c @@ -465,7 +465,8 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength, while (mbslength > 0) { /* Convert one multibyte character to wchar_t. */ if (!cerr) - clen = mbrtowc(src, mbsrc, MB_LEN_MAX, &mbstate); + clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX), + &mbstate); if (cerr || clen < 0) { /* Conversion error, process as a byte instead. */ *src = (wint_t)(u_char)*mbsrc;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106161621.15GGL3BS007088>