From owner-svn-src-stable-12@freebsd.org  Fri Apr 10 00:25:16 2020
Return-Path: <owner-svn-src-stable-12@freebsd.org>
Delivered-To: svn-src-stable-12@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0DB1F2AB933;
 Fri, 10 Apr 2020 00:25:16 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48yzLM6dW4z4VFy;
 Fri, 10 Apr 2020 00:25:15 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C4C891D711;
 Fri, 10 Apr 2020 00:25:15 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03A0PFNM012589;
 Fri, 10 Apr 2020 00:25:15 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03A0PF2A012588;
 Fri, 10 Apr 2020 00:25:15 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202004100025.03A0PF2A012588@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Fri, 10 Apr 2020 00:25:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject: svn commit: r359762 - in stable: 11/usr.sbin/config 12/usr.sbin/config
X-SVN-Group: stable-12
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in stable: 11/usr.sbin/config 12/usr.sbin/config
X-SVN-Commit-Revision: 359762
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-12@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for only the 12-stable src tree
 <svn-src-stable-12.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-12>, 
 <mailto:svn-src-stable-12-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-12/>
List-Post: <mailto:svn-src-stable-12@freebsd.org>
List-Help: <mailto:svn-src-stable-12-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-12>, 
 <mailto:svn-src-stable-12-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 00:25:16 -0000

Author: kevans
Date: Fri Apr 10 00:25:14 2020
New Revision: 359762
URL: https://svnweb.freebsd.org/changeset/base/359762

Log:
  MFC r359689: config(8): "fix" a couple of buffer overflows
  
  Recently added/changed lines in various kernel configs have caused some
  buffer overflows that went undetected. These were detected with a config
  built using -fno-common as these line buffers smashed one of our arrays,
  then further triaged with ASAN.
  
  Double the sizes; this is really not a great fix, but addresses the
  immediate need until someone rewrites config. While here, add some bounds
  checking so that we don't need to detect this by random bus errors or other
  weird failures.

Modified:
  stable/12/usr.sbin/config/main.c
Directory Properties:
  stable/12/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/11/usr.sbin/config/main.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/12/usr.sbin/config/main.c
==============================================================================
--- stable/12/usr.sbin/config/main.c	Fri Apr 10 00:23:34 2020	(r359761)
+++ stable/12/usr.sbin/config/main.c	Fri Apr 10 00:25:14 2020	(r359762)
@@ -313,7 +313,7 @@ usage(void)
 char *
 get_word(FILE *fp)
 {
-	static char line[80];
+	static char line[160];
 	int ch;
 	char *cp;
 	int escaped_nl = 0;
@@ -343,11 +343,17 @@ begin:
 		*cp = 0;
 		return (line);
 	}
-	while ((ch = getc(fp)) != EOF) {
+	while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
 		if (isspace(ch))
 			break;
 		*cp++ = ch;
 	}
+	if (cp >= line + sizeof(line)) {
+		line[sizeof(line) - 1] = '\0';
+		fprintf(stderr, "config: attempted overflow, partial line: `%s'",
+		    line);
+		exit(2);
+	}
 	*cp = 0;
 	if (ch == EOF)
 		return ((char *)EOF);
@@ -363,7 +369,7 @@ begin:
 char *
 get_quoted_word(FILE *fp)
 {
-	static char line[256];
+	static char line[512];
 	int ch;
 	char *cp;
 	int escaped_nl = 0;
@@ -406,15 +412,29 @@ begin:
 			}
 			if (ch != quote && escaped_nl)
 				*cp++ = '\\';
+			if (cp >= line + sizeof(line)) {
+				line[sizeof(line) - 1] = '\0';
+				printf(
+				    "config: line buffer overflow reading partial line `%s'\n",
+				    line);
+				exit(2);
+			}
 			*cp++ = ch;
 			escaped_nl = 0;
 		}
 	} else {
 		*cp++ = ch;
-		while ((ch = getc(fp)) != EOF) {
+		while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
 			if (isspace(ch))
 				break;
 			*cp++ = ch;
+		}
+		if (cp >= line + sizeof(line)) {
+			line[sizeof(line) - 1] = '\0';
+			printf(
+			    "config: line buffer overflow reading partial line `%s'\n",
+			    line);
+			exit(2);
 		}
 		if (ch != EOF)
 			(void) ungetc(ch, fp);