Date: Wed, 14 Sep 2005 13:13:22 -0700 From: Trevor Blackwell <tlb@tlb.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/86135: Fwd: Latent buffer overflow in getcwd Message-ID: <1126728802.42486.3239.camel@lab> Resent-Message-ID: <200509142020.j8EKKLBP078868@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86135
>Category: bin
>Synopsis: Latent buffer overflow in getcwd
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 14 20:20:21 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Trevor Blackwell
>Release: FreeBSD 5.4-RELEASE-p6 i386
>Organization:
Anybots Inc
>Environment:
System: FreeBSD tlb.anybots.com 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #0: Mon Sep 12 17:14:32 PDT 2005 root@tlb.anybots.com:/usr/obj/usr/src/sys/TLB i386
>Description:
The libc getcwd has a latent bug, where it allocates a buffer of 1020 bytes and assumes
it to have MAXPATHLEN (=1024) bytes. Normal modern mallocs will allocate 1024 bytes
anyway, but a different malloc could cause an overrun, and changing MAXPATHLEN could cause
trouble, and it'll cause trouble with debugging mallocs.
Allocating 1024-4 was an optimization assuming the existence of a malloc header, which
isn't the case nowadays. The most important think is that eup = up + upsize, but the most
robust plan is to allocate MAXPATHLEN bytes in case that changes.
>How-To-Repeat:
It wouldn't be easy to cause an actual corruption
>Fix:
Index: getcwd.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/gen/getcwd.c,v
retrieving revision 1.25
diff -c -r1.25 getcwd.c
*** getcwd.c 29 Oct 2003 10:45:01 -0000 1.25
--- getcwd.c 14 Sep 2005 18:25:48 -0000
***************
*** 115,123 ****
* Should always be enough (it's 340 levels). If it's not, allocate
* as necessary. Special case the first stat, it's ".", not "..".
*/
! if ((up = malloc(upsize = 1024 - 4)) == NULL)
goto err;
! eup = up + MAXPATHLEN;
bup = up;
up[0] = '.';
up[1] = '\0';
--- 115,123 ----
* Should always be enough (it's 340 levels). If it's not, allocate
* as necessary. Special case the first stat, it's ".", not "..".
*/
! if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
goto err;
! eup = up + upsize;
bup = up;
up[0] = '.';
up[1] = '\0';
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1126728802.42486.3239.camel>