NetBSD Problem Report #26725
Received: (qmail 13976 invoked by uid 605); 20 Aug 2004 09:44:42 -0000
Message-Id: <20040820071813.2106E11152@narn.netbsd.org>
Date: Fri, 20 Aug 2004 07:18:13 +0000 (UTC)
From: rathamahata@ehouse.ru
Sender: gnats-bugs-owner@NetBSD.org
Reply-To: rathamahata@ehouse.ru
To: gnats-bugs@gnats.NetBSD.org
Subject: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
X-Send-Pr-Version: www-1.0
>Number: 26725
>Category: security
>Synopsis: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: security-officer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 20 09:45:00 +0000 2004
>Closed-Date: Fri Aug 20 12:54:58 +0000 2004
>Last-Modified: Sat Aug 21 16:33:00 +0000 2004
>Originator: Sergey S. Kostyliov
>Release: Neither
>Organization:
eHouse, Russia
>Environment:
Linux dev.srv.ehouse.ru 2.6.8.1 #1 SMP Sun Aug 15 22:35:45 MSD 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>Description:
In src/lib/libedit/history.c:
private int
history_save(History *h, const char *fname)
{
FILE *fp;
HistEvent ev;
int i = -1, retval;
size_t len, max_size;
char *ptr;
...
ptr = h_malloc(max_size = 1024);
if (ptr == NULL)
goto done;
for (i = 0, retval = HLAST(h, &ev);
retval != -1;
retval = HPREV(h, &ev), i++) {
len = strlen(ev.str) * 4;
if (len >= max_size) {
char *nptr;
max_size = (len + 1023) & 1023;
nptr = h_realloc(ptr, max_size);
if (nptr == NULL) {
i = -1;
goto oomem;
}
ptr = nptr;
}
(void) strvis(ptr, ev.str, VIS_WHITE);
(void) fprintf(fp, "%s\n", ptr);
}
oomem:
h_free((ptr_t)ptr);
...
}
When strlen(ev.str) is large enough it will be possible that ptr
(after h_realloc(ptr, max_size)) is lesser than ev.str.
>How-To-Repeat:
See: http://bugs.mysql.com/bug.php?id=4696
for further details.
>Fix:
It smells like this is an obvious typo.
Thanks to: Sergei Golubchik <serg@mysql.com> for pointing this out.
- max_size = (len + 1023) & 1023;
+ max_size = (len + 1023) & ~1023;
See: http://lists.mysql.com/internals/16119
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: christos
State-Changed-When: Fri Aug 20 08:54:37 EDT 2004
State-Changed-Why:
fixed, thanks
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: pr/26725 CVS commit: src/lib/libedit
Date: Fri, 20 Aug 2004 12:54:05 +0000 (UTC)
Module Name: src
Committed By: christos
Date: Fri Aug 20 12:54:05 UTC 2004
Modified Files:
src/lib/libedit: history.c
Log Message:
PR/26725: Sergey S. Kostyliov: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
To generate a diff of this commit:
cvs rdiff -r1.25 -r1.26 src/lib/libedit/history.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Sergey S. Kostyliov" <rathamahata@ehouse.ru>
To: gnats-bugs@gnats.netbsd.org
Cc: christos@netbsd.org, security-officer@netbsd.org
Subject: Re: security/26725
Date: Sat, 21 Aug 2004 20:21:29 +0400
On Friday 20 August 2004 16:54, christos@netbsd.org wrote:
> Synopsis: Typo in libedit, possible buffer overflow in src/lib/libedit/history.c:history_save()
>
> State-Changed-From-To: open->closed
> State-Changed-By: christos
> State-Changed-When: Fri Aug 20 08:54:37 EDT 2004
> State-Changed-Why:
> fixed, thanks
Otto Moerbeek <otto@drijf.net>
has just pointed out that the:
max_size = (len + 1023) & ~1023;
patch is not enough (see http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00092.html)
"... If
len is a multiple of 1024,
max_size = (len + 1023) & ~1023;
wil not increase it. Should probably be
max_size = (len + 1024) & ~1023;"
It looks like his statement is correct and either his patch or something like:
http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00096.html
(which is a bit more intrusive but seems more self documented to me) is needed.
--
Sergey S. Kostyliov <rathamahata@ehouse.ru>
Jabber ID: rathamahata@jabber.org
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.