NetBSD Problem Report #53368
From www@NetBSD.org Fri Jun 15 16:52:47 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id A7FA67A1B0
for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Jun 2018 16:52:47 +0000 (UTC)
Message-Id: <20180615165245.B83C77A26F@mollari.NetBSD.org>
Date: Fri, 15 Jun 2018 16:52:45 +0000 (UTC)
From: thomas.barabosch@fkie.fraunhofer.de
Reply-To: thomas.barabosch@fkie.fraunhofer.de
To: gnats-bugs@NetBSD.org
Subject: Potential integer overflow in usr.bin/patch/inp.c
X-Send-Pr-Version: www-1.0
>Number: 53368
>Category: bin
>Synopsis: Potential integer overflow in usr.bin/patch/inp.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jun 15 16:55:00 +0000 2018
>Closed-Date: Sat Jun 16 06:04:56 +0000 2018
>Last-Modified: Sat Jun 16 06:04:56 +0000 2018
>Originator: Thomas Barabosch
>Release: 7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a potential integer overflow in usr.bin/patch/inp.c. In function reallocate_lines there is an array reallocation with realloc that utilizes a multiplication. It is better to use reallocarr.3 (at least for NetBSD > 7.0).
I checked with other BSDs and found that this issue was patched in OpenBSD (check github mirror, commit c905b2617f2672181a099d8df3fa499ef3abdcf9).
I've drafted a patch. Reallocarr returns an int, not a pointer. Therefore, I checked for zero and threw away the assignment i_ptr = p since this function directly works on the array. Does this look OK? Or is there another way to fix this issue?
>How-To-Repeat:
>Fix:
--- usr.bin/patch/inp.c 2018-05-14 00:00:49.573719141 +0200
+++ usr.bin/patch/inp.c.patched 2018-06-15 18:43:30.914882168 +0200
@@ -122,8 +122,8 @@
size_t new_size;
new_size = *lines_allocated * 3 / 2;
- p = realloc(i_ptr, (new_size + 2) * sizeof(char *));
- if (p == NULL) { /* shucks, it was a near thing */
+ int res = reallocarr(&i_ptr, new_size + 2, sizeof(char *));
+ if (res != 0) { /* shucks, it was a near thing */
munmap(i_womp, i_size);
i_womp = NULL;
free(i_ptr);
@@ -132,7 +132,6 @@
return false;
}
*lines_allocated = new_size;
- i_ptr = p;
return true;
}
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53368 CVS commit: src/usr.bin/patch
Date: Fri, 15 Jun 2018 20:40:14 -0400
Module Name: src
Committed By: christos
Date: Sat Jun 16 00:40:14 UTC 2018
Modified Files:
src/usr.bin/patch: inp.c
Log Message:
PR/53368: Thomas Barabosch: Potential integer overflow in usr.bin/patch/inp.c
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/usr.bin/patch/inp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sat, 16 Jun 2018 06:04:56 +0000
State-Changed-Why:
Committed by christos.
Thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.