From owner-freebsd-bugs@freebsd.org Mon May 8 22:22:54 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89BC5D64F04 for ; Mon, 8 May 2017 22:22:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2FD071827 for ; Mon, 8 May 2017 22:22:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v48MMsYp009433 for ; Mon, 8 May 2017 22:22:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219154] [PATCH] buffer overflows in realpath(3) Date: Mon, 08 May 2017 22:22:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jan.kokemueller@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2017 22:22:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219154 Bug ID: 219154 Summary: [PATCH] buffer overflows in realpath(3) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: jan.kokemueller@gmail.com Keywords: patch Created attachment 182421 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182421&action= =3Dedit fixes for realpath(3) There are some buffer overflows in realpath(3). The attached patch fixes th= em: - The statement "left_len -=3D s - left;" does not take the slash into acc= ount if one was found. This results in the invariant "left[left_len] =3D=3D '\0'= " being violated (and possible buffer overflows). The patch replaces the variable "= s" with a size_t "next_token_len" for more clarity. - "slen" from readlink(2) can be 0 when encountering empty symlinks. Then, further down, "symlink[slen - 1]" underflows the buffer. When slen =3D=3D 0, realpath(3) should probably return ENOENT (http://austingroupbugs.net/view.php?id=3D825, https://lwn.net/Articles/551= 224/). Some other minor issues: - The condition "resolved_len >=3D PATH_MAX" cannot be true. - Similarly, "s - left >=3D sizeof(next_token)" cannot be true, as long as "sizeof(next_token) >=3D sizeof(left)". - Return ENAMETOOLONG when a resolved symlink from readlink(2) is too long= for the symlink buffer (instead of just truncating it). - "resolved_len > 1" below the call to readlink(2) is always true as "strlcat(resolved, next_token, PATH_MAX);" always results in a string of le= ngth > 1. Also, "resolved[resolved_len - 1] =3D '\0';" is not needed; there can = never be a trailing slash here. - The truncation check for "strlcat(symlink, left, sizeof(symlink));" shou= ld be against "sizeof(symlink)" (the third argument to strlcat) instead of "sizeof(left)". --=20 You are receiving this mail because: You are the assignee for the bug.=