Date: Fri, 10 Apr 2020 00:25:15 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r359762 - in stable: 11/usr.sbin/config 12/usr.sbin/config Message-ID: <202004100025.03A0PF2A012588@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Fri Apr 10 00:25:14 2020 New Revision: 359762 URL: https://svnweb.freebsd.org/changeset/base/359762 Log: MFC r359689: config(8): "fix" a couple of buffer overflows Recently added/changed lines in various kernel configs have caused some buffer overflows that went undetected. These were detected with a config built using -fno-common as these line buffers smashed one of our arrays, then further triaged with ASAN. Double the sizes; this is really not a great fix, but addresses the immediate need until someone rewrites config. While here, add some bounds checking so that we don't need to detect this by random bus errors or other weird failures. Modified: stable/12/usr.sbin/config/main.c Directory Properties: stable/12/ (props changed) Changes in other areas also in this revision: Modified: stable/11/usr.sbin/config/main.c Directory Properties: stable/11/ (props changed) Modified: stable/12/usr.sbin/config/main.c ============================================================================== --- stable/12/usr.sbin/config/main.c Fri Apr 10 00:23:34 2020 (r359761) +++ stable/12/usr.sbin/config/main.c Fri Apr 10 00:25:14 2020 (r359762) @@ -313,7 +313,7 @@ usage(void) char * get_word(FILE *fp) { - static char line[80]; + static char line[160]; int ch; char *cp; int escaped_nl = 0; @@ -343,11 +343,17 @@ begin: *cp = 0; return (line); } - while ((ch = getc(fp)) != EOF) { + while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) { if (isspace(ch)) break; *cp++ = ch; } + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + fprintf(stderr, "config: attempted overflow, partial line: `%s'", + line); + exit(2); + } *cp = 0; if (ch == EOF) return ((char *)EOF); @@ -363,7 +369,7 @@ begin: char * get_quoted_word(FILE *fp) { - static char line[256]; + static char line[512]; int ch; char *cp; int escaped_nl = 0; @@ -406,15 +412,29 @@ begin: } if (ch != quote && escaped_nl) *cp++ = '\\'; + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + printf( + "config: line buffer overflow reading partial line `%s'\n", + line); + exit(2); + } *cp++ = ch; escaped_nl = 0; } } else { *cp++ = ch; - while ((ch = getc(fp)) != EOF) { + while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) { if (isspace(ch)) break; *cp++ = ch; + } + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + printf( + "config: line buffer overflow reading partial line `%s'\n", + line); + exit(2); } if (ch != EOF) (void) ungetc(ch, fp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004100025.03A0PF2A012588>