Date: Fri, 17 Jul 2015 18:42:26 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 201657] Buffer overflow in libdtrace Message-ID: <bug-201657-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201657 Bug ID: 201657 Summary: Buffer overflow in libdtrace Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: pfg@FreeBSD.org While testing with the experimental version of FORTIFY_SOURCE from GSoC 2015, This issue was found on MIPS (with the native gcc 4.2.1). ... ===> cddl/lib/libdtrace (all) cc1: warnings being treated as errors /scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c: In function 'dt_printf_format': /scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:1562: warning: call to __snprintf_chk will always overflow destination buffer --- dt_printf.So --- *** [dt_printf.So] Error code 1 make[7]: stopped in /scratch/tmp/pfg/head/cddl/lib/libdtrace 1 error ... For comparison, coverity found this: 1561 if (width != 0) 1562 f += snprintf(f, sizeof (format), "%d", ABS(width)); 1563 60. Condition prec > 0, taking true branch 1564 if (prec > 0) CID 1018005 (#1 of 1): Out-of-bounds access (OVERRUN)61. overrun-buffer-arg: Overrunning buffer pointed to by f of 64 bytes by passing it to a function which accesses it at byte offset 70 using argument 64U. [Note: The source code implementation of the function has been overridden by a builtin model.] 1565 f += snprintf(f, sizeof (format), ".%d", prec); 1566 ... -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201657-8>