NetBSD Problem Report #26725

Received: (qmail 13976 invoked by uid 605); 20 Aug 2004 09:44:42 -0000
Message-Id: <20040820071813.2106E11152@narn.netbsd.org>
Date: Fri, 20 Aug 2004 07:18:13 +0000 (UTC)
From: rathamahata@ehouse.ru
Sender: gnats-bugs-owner@NetBSD.org
Reply-To: rathamahata@ehouse.ru
To: gnats-bugs@gnats.NetBSD.org
Subject: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
X-Send-Pr-Version: www-1.0

>Number:         26725
>Category:       security
>Synopsis:       Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 20 09:45:00 +0000 2004
>Closed-Date:    Fri Aug 20 12:54:58 +0000 2004
>Last-Modified:  Sat Aug 21 16:33:00 +0000 2004
>Originator:     Sergey S. Kostyliov
>Release:        Neither
>Organization:
eHouse, Russia
>Environment:
Linux dev.srv.ehouse.ru 2.6.8.1 #1 SMP Sun Aug 15 22:35:45 MSD 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>Description:
In src/lib/libedit/history.c:

private int
history_save(History *h, const char *fname)
{
        FILE *fp;
        HistEvent ev;
        int i = -1, retval;
        size_t len, max_size;
        char *ptr;
...
        ptr = h_malloc(max_size = 1024);
        if (ptr == NULL)
                goto done;
        for (i = 0, retval = HLAST(h, &ev);
            retval != -1;
            retval = HPREV(h, &ev), i++) {
                len = strlen(ev.str) * 4;
                if (len >= max_size) {
                        char *nptr;
                        max_size = (len + 1023) & 1023;
                        nptr = h_realloc(ptr, max_size);
                        if (nptr == NULL) {
                                i = -1;
                                goto oomem;
                        }
                        ptr = nptr;
                }
                (void) strvis(ptr, ev.str, VIS_WHITE);
                (void) fprintf(fp, "%s\n", ptr);
        }
oomem:
        h_free((ptr_t)ptr);
...
}

When strlen(ev.str) is large enough it will be possible that ptr 
(after h_realloc(ptr, max_size)) is lesser than ev.str.
>How-To-Repeat:
See: http://bugs.mysql.com/bug.php?id=4696
for further details.
>Fix:
It smells like this is an obvious typo.
Thanks to: Sergei Golubchik <serg@mysql.com> for pointing this out.

- max_size = (len + 1023) & 1023;
+ max_size = (len + 1023) & ~1023;

See: http://lists.mysql.com/internals/16119
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: christos 
State-Changed-When: Fri Aug 20 08:54:37 EDT 2004 
State-Changed-Why:  
fixed, thanks 

From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:  
Subject: pr/26725 CVS commit: src/lib/libedit
Date: Fri, 20 Aug 2004 12:54:05 +0000 (UTC)

 Module Name:	src
 Committed By:	christos
 Date:		Fri Aug 20 12:54:05 UTC 2004

 Modified Files:
 	src/lib/libedit: history.c

 Log Message:
 PR/26725: Sergey S. Kostyliov: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()


 To generate a diff of this commit:
 cvs rdiff -r1.25 -r1.26 src/lib/libedit/history.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.


From: "Sergey S. Kostyliov" <rathamahata@ehouse.ru>
To: gnats-bugs@gnats.netbsd.org
Cc: christos@netbsd.org, security-officer@netbsd.org
Subject: Re: security/26725
Date: Sat, 21 Aug 2004 20:21:29 +0400

 On Friday 20 August 2004 16:54, christos@netbsd.org wrote:
 > Synopsis: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: christos
 > State-Changed-When: Fri Aug 20 08:54:37 EDT 2004
 > State-Changed-Why: 
 > fixed, thanks
 Otto Moerbeek <otto@drijf.net>
 has just pointed out that the:
 	max_size = (len + 1023) & ~1023;
 patch is not enough (see http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00092.html)

 "... If 
 len is a multiple of 1024, 

 max_size = (len + 1023) & ~1023;

 wil not increase it. Should probably be

 max_size = (len + 1024) & ~1023;"

 It looks like his statement is correct and either his patch or something like:
 	http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00096.html
 (which is a bit more intrusive but seems more self documented to me) is needed.


 -- 
 Sergey S. Kostyliov <rathamahata@ehouse.ru>
 Jabber ID: rathamahata@jabber.org
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.