NetBSD Problem Report #54117
From www@netbsd.org Fri Apr 12 12:29:14 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7C58D7A1B3
for <gnats-bugs@gnats.NetBSD.org>; Fri, 12 Apr 2019 12:29:14 +0000 (UTC)
Message-Id: <20190412122913.64E177A1D7@mollari.NetBSD.org>
Date: Fri, 12 Apr 2019 12:29:13 +0000 (UTC)
From: paavo.helde@perkinelmer.com
Reply-To: paavo.helde@perkinelmer.com
To: gnats-bugs@NetBSD.org
Subject: Buffer overflow in editline filename completion
X-Send-Pr-Version: www-1.0
>Number: 54117
>Category: lib
>Synopsis: Buffer overflow in editline filename completion
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: christos
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 12 12:30:00 +0000 2019
>Closed-Date: Sat Apr 20 07:33:16 +0000 2019
>Last-Modified: Sat Apr 20 07:33:16 +0000 2019
>Originator: Paavo Helde
>Release: $NetBSD: filecomplete.c,v 1.51 2018/05/04 20:38:26 christos Exp $
>Organization:
PerkinElmer, inc
>Environment:
Linux altair 4.4.104-39-default #1 SMP Thu Jan 4 08:11:03 UTC 2018 (7db1912) x86_64 x86_64 x86_64 GNU/Linux
>Description:
It looks like the buffer allocated for filename completion in escape_filename() in http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit/filecomplete.c is too short for 1 byte. Maybe appending the terminating quote is not taken into account.
>How-To-Repeat:
In a program using editline/libedit attempt to complete a filename started with " , for various lengths of the prefix. With our app at least it frequently crashes. valgrind memcheck shows invalid write at line 259
escaped_str[offset++] = '"';
>Fix:
After line 215
newlen = original_len + escaped_character_count + 1;
add
if (s_quoted || d_quoted) {
++newlen;
}
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: lib-bug-people->abhinav
Responsible-Changed-By: abhinav@NetBSD.org
Responsible-Changed-When: Fri, 12 Apr 2019 15:06:56 +0000
Responsible-Changed-Why:
Mine
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54117 CVS commit: src/lib/libedit
Date: Fri, 12 Apr 2019 11:12:29 -0400
Module Name: src
Committed By: christos
Date: Fri Apr 12 15:12:29 UTC 2019
Modified Files:
src/lib/libedit: filecomplete.c
Log Message:
PR/54117: Paavo Helde: Fix memory overrun: Account for the closing quote
in memory allocation if quoted.
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 src/lib/libedit/filecomplete.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: abhinav->christos
Responsible-Changed-By: abhinav@NetBSD.org
Responsible-Changed-When: Fri, 12 Apr 2019 15:18:19 +0000
Responsible-Changed-Why:
christos already handled it
State-Changed-From-To: open->feedback
State-Changed-By: abhinav@NetBSD.org
State-Changed-When: Fri, 12 Apr 2019 15:19:41 +0000
State-Changed-Why:
Christos committed the fix suggested by you, could you verify it?
From: "Helde, Paavo" <Paavo.Helde@PERKINELMER.COM>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>,
"christos@netbsd.org"
<christos@netbsd.org>,
"netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>,
"gnats-admin@netbsd.org" <gnats-admin@netbsd.org>
Cc:
Subject: RE: [External] Re: lib/54117 (Buffer overflow in editline filename
completion)
Date: Mon, 15 Apr 2019 08:06:51 +0000
Yes, I can confirm the fix seems to cure the memory overrun issue.
PS. We are using the port https://www.thrysoee.dk/editline/libedit-20190324=
-3.1.tar.gz and we saw several issues with it, like the history subsystem n=
ot configurable and our custom ^@ binding regularly overwritten. The port i=
s some weeks old, maybe some problems are fixed already, maybe some are spe=
cific to the port and maybe some are the artefacts of our potentially inade=
quate attempts to enforce the library to behave as needed for us. In short,=
would it make it sense for me to try to report some of those issues and if=
so, in what form?
Regards
Paavo
-----Original Message-----
From: abhinav@NetBSD.org <abhinav@NetBSD.org>=20
Sent: Friday, April 12, 2019 6:20 PM
To: christos@netbsd.org; netbsd-bugs@netbsd.org; gnats-admin@netbsd.org; ab=
hinav@NetBSD.org; Helde, Paavo <Paavo.Helde@PERKINELMER.COM>
Subject: [External] Re: lib/54117 (Buffer overflow in editline filename com=
pletion)
Use caution when opening links or attachments.
Synopsis: Buffer overflow in editline filename completion
State-Changed-From-To: open->feedback
State-Changed-By: abhinav@NetBSD.org
State-Changed-When: Fri, 12 Apr 2019 15:19:41 +0000
State-Changed-Why:
Christos committed the fix suggested by you, could you verify it?
From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: christos@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
paavo.helde@perkinelmer.com
Subject: Re: [External] Re: lib/54117 (Buffer overflow in editline filename
completion)
Date: Mon, 15 Apr 2019 08:36:18 -0400
--Apple-Mail=_5F778E2D-3B8B-4915-9ACF-04920F30AE1C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
The best way is to file PR's using the NetBSD send-pr system. You can =
use the command line script on NetBSD or
http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=3Dnetbsd =
<http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=3Dnetbsd>
Best Regards,
christos
> On Apr 15, 2019, at 5:50 AM, Helde, Paavo =
<Paavo.Helde@PERKINELMER.COM> wrote:
>=20
> The following reply was made to PR lib/54117; it has been noted by =
GNATS.
>=20
> From: "Helde, Paavo" <Paavo.Helde@PERKINELMER.COM>
> To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>,
> "christos@netbsd.org"
> <christos@netbsd.org>,
> "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>,
> "gnats-admin@netbsd.org" <gnats-admin@netbsd.org>
> Cc:=20
> Subject: RE: [External] Re: lib/54117 (Buffer overflow in editline =
filename
> completion)
> Date: Mon, 15 Apr 2019 08:06:51 +0000
>=20
> Yes, I can confirm the fix seems to cure the memory overrun issue.
>=20
> PS. We are using the port =
https://www.thrysoee.dk/editline/libedit-20190324=3D
> -3.1.tar.gz and we saw several issues with it, like the history =
subsystem n=3D
> ot configurable and our custom ^@ binding regularly overwritten. The =
port i=3D
> s some weeks old, maybe some problems are fixed already, maybe some =
are spe=3D
> cific to the port and maybe some are the artefacts of our potentially =
inade=3D
> quate attempts to enforce the library to behave as needed for us. In =
short,=3D
> would it make it sense for me to try to report some of those issues =
and if=3D
> so, in what form?
>=20
> Regards
> Paavo
>=20
>=20
>=20
> -----Original Message-----
> From: abhinav@NetBSD.org <abhinav@NetBSD.org>=3D20
> Sent: Friday, April 12, 2019 6:20 PM
> To: christos@netbsd.org; netbsd-bugs@netbsd.org; =
gnats-admin@netbsd.org; ab=3D
> hinav@NetBSD.org; Helde, Paavo <Paavo.Helde@PERKINELMER.COM>
> Subject: [External] Re: lib/54117 (Buffer overflow in editline =
filename com=3D
> pletion)
>=20
>=20
> Use caution when opening links or attachments.
>=20
> Synopsis: Buffer overflow in editline filename completion
>=20
> State-Changed-From-To: open->feedback
> State-Changed-By: abhinav@NetBSD.org
> State-Changed-When: Fri, 12 Apr 2019 15:19:41 +0000
> State-Changed-Why:
> Christos committed the fix suggested by you, could you verify it?
>=20
>=20
>=20
--Apple-Mail=_5F778E2D-3B8B-4915-9ACF-04920F30AE1C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">The =
best way is to file PR's using the NetBSD send-pr system. You can use =
the command line script on NetBSD or<div class=3D""><a =
href=3D"http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=3Dnetbsd" =
class=3D"">http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=3Dnetbsd</a></div=
><div class=3D""><br class=3D""></div><div class=3D"">Best =
Regards,</div><div class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""></div><div class=3D"">christos<br class=3D""><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On Apr =
15, 2019, at 5:50 AM, Helde, Paavo <<a =
href=3D"mailto:Paavo.Helde@PERKINELMER.COM" =
class=3D"">Paavo.Helde@PERKINELMER.COM</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">The =
following reply was made to PR lib/54117; it has been noted by GNATS.<br =
class=3D""><br class=3D"">From: "Helde, Paavo" <<a =
href=3D"mailto:Paavo.Helde@PERKINELMER.COM" =
class=3D"">Paavo.Helde@PERKINELMER.COM</a>><br class=3D"">To: "<a =
href=3D"mailto:gnats-bugs@netbsd.org" =
class=3D"">gnats-bugs@netbsd.org</a>" <<a =
href=3D"mailto:gnats-bugs@netbsd.org" =
class=3D"">gnats-bugs@netbsd.org</a>>,<br class=3D""> =
"<a =
href=3D"mailto:christos@netbsd.org" class=3D"">christos@netbsd.org</a>"<br=
class=3D""><span class=3D"Apple-tab-span" style=3D"white-space:pre"> =
</span><<a href=3D"mailto:christos@netbsd.org" =
class=3D"">christos@netbsd.org</a>>,<br class=3D""> =
"<a =
href=3D"mailto:netbsd-bugs@netbsd.org" =
class=3D"">netbsd-bugs@netbsd.org</a>" <<a =
href=3D"mailto:netbsd-bugs@netbsd.org" =
class=3D"">netbsd-bugs@netbsd.org</a>>,<br class=3D""> =
"<a =
href=3D"mailto:gnats-admin@netbsd.org" =
class=3D"">gnats-admin@netbsd.org</a>" <<a =
href=3D"mailto:gnats-admin@netbsd.org" =
class=3D"">gnats-admin@netbsd.org</a>><br class=3D"">Cc: <br =
class=3D"">Subject: RE: [External] Re: lib/54117 (Buffer overflow in =
editline filename<br class=3D""> completion)<br class=3D"">Date: Mon, 15 =
Apr 2019 08:06:51 +0000<br class=3D""><br class=3D""> Yes, I can confirm =
the fix seems to cure the memory overrun issue.<br class=3D""><br =
class=3D""> PS. We are using the port <a =
href=3D"https://www.thrysoee.dk/editline/libedit-20190324=3D" =
class=3D"">https://www.thrysoee.dk/editline/libedit-20190324=3D</a><br =
class=3D""> -3.1.tar.gz and we saw several issues with it, like the =
history subsystem n=3D<br class=3D""> ot configurable and our custom ^@ =
binding regularly overwritten. The port i=3D<br class=3D""> s some weeks =
old, maybe some problems are fixed already, maybe some are spe=3D<br =
class=3D""> cific to the port and maybe some are the artefacts of our =
potentially inade=3D<br class=3D""> quate attempts to enforce the =
library to behave as needed for us. In short,=3D<br class=3D""> =
would it make it sense for me to try to report some of those =
issues and if=3D<br class=3D""> so, in what form?<br class=3D""><br =
class=3D""> Regards<br class=3D""> Paavo<br class=3D""><br class=3D""><br =
class=3D""><br class=3D""> -----Original Message-----<br class=3D""> =
From: <a href=3D"mailto:abhinav@NetBSD.org" =
class=3D"">abhinav@NetBSD.org</a> <<a =
href=3D"mailto:abhinav@NetBSD.org" =
class=3D"">abhinav@NetBSD.org</a>>=3D20<br class=3D""> Sent: Friday, =
April 12, 2019 6:20 PM<br class=3D""> To: <a =
href=3D"mailto:christos@netbsd.org" class=3D"">christos@netbsd.org</a>; =
<a href=3D"mailto:netbsd-bugs@netbsd.org" =
class=3D"">netbsd-bugs@netbsd.org</a>; <a =
href=3D"mailto:gnats-admin@netbsd.org" =
class=3D"">gnats-admin@netbsd.org</a>; ab=3D<br class=3D""> <a =
href=3D"mailto:hinav@NetBSD.org" class=3D"">hinav@NetBSD.org</a>; Helde, =
Paavo <<a href=3D"mailto:Paavo.Helde@PERKINELMER.COM" =
class=3D"">Paavo.Helde@PERKINELMER.COM</a>><br class=3D""> Subject: =
[External] Re: lib/54117 (Buffer overflow in editline filename com=3D<br =
class=3D""> pletion)<br class=3D""><br class=3D""><br class=3D""> Use =
caution when opening links or attachments.<br class=3D""><br class=3D""> =
Synopsis: Buffer overflow in editline filename completion<br =
class=3D""><br class=3D""> State-Changed-From-To: open->feedback<br =
class=3D""> State-Changed-By: <a href=3D"mailto:abhinav@NetBSD.org" =
class=3D"">abhinav@NetBSD.org</a><br class=3D""> State-Changed-When: =
Fri, 12 Apr 2019 15:19:41 +0000<br class=3D""> State-Changed-Why:<br =
class=3D""> Christos committed the fix suggested by you, could you =
verify it?<br class=3D""><br class=3D""><br class=3D""><br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=
--Apple-Mail=_5F778E2D-3B8B-4915-9ACF-04920F30AE1C--
State-Changed-From-To: feedback->closed
State-Changed-By: abhinav@NetBSD.org
State-Changed-When: Sat, 20 Apr 2019 07:33:16 +0000
State-Changed-Why:
fix confirmed by the user. Thanks for the PR and the analysis
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.