From owner-freebsd-security@freebsd.org Thu May 18 05:12:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F04BD720EA for ; Thu, 18 May 2017 05:12:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EF3F510C6 for ; Thu, 18 May 2017 05:12:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4I5CFeF050567 for ; Thu, 18 May 2017 05:12:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Thu, 18 May 2017 05:12:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jan.kokemueller@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-security@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 18 May 2017 12:12:55 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 May 2017 05:12:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 --- Comment #7 from Jan Kokem=C3=BCller --- Created attachment 182684 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182684&action= =3Dedit More tests for realpath(3) Here is a patch that adds 'lib/libc/tests/gen/realpath2_test.c'. The first test triggers the out of bounds read of the 'left' array. It only fails when realpath.c is compiled with '-fsanitize=3Daddress' so I'm not su= re how useful this test is. I didn't manage to read more than one byte beyond the buffer or trigger some visible faulty behavior. The other test checks for ENOENT when running into an empty symlink. This matches NetBSD's realpath(3) semantics. Previously, empty symlinks were tre= ated like ".". --=20 You are receiving this mail because: You are the assignee for the bug.=