From nobody Fri Nov 11 18:37:06 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N86r31DkPz4dbZb; Fri, 11 Nov 2022 18:37:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N86r30Kpnz3wqV; Fri, 11 Nov 2022 18:37:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668191827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BO9AX69oXHY695hLmSTd2r3BeWz1t3bxbne70gVxBEA=; b=fQOFYoF1Tq06erWzr07nkE9ql0/ZxtFnYH7CiW3XyxUNJd4DVoxT0OgDucDVrn+VohZgYj MCLinabhtY4wFy7TwA+FYPa0oXxgouq35Uaqe5il65RXxW6JrnyWFaWIy6T0lu3hp5ONKU HoAMt9TDpb1+yjRJescGumDIjRAGwsiSk1/dR6X/ovwVLNA1JcTZlrjVfKYoz7H5pnXq0a Eh8FmOEx6kuK1p4E8dfY+/rbPRkDyohV47XVij87MpEeesTPQ3QqFedQu+PLfkw6R+tOC4 gzOmoBUaXKJ7hCUi8Ic2AJN0oLeQtY2/Ncv1fni7g0Fi9UgBCI4lIzieuIzilA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668191827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BO9AX69oXHY695hLmSTd2r3BeWz1t3bxbne70gVxBEA=; b=xs5kCFKQsBbrw2tsbvGu7cEU9O6CpNGlOa6f6DHp6w1P6pbC1Z7BZ+K5LsrMAKqPYNzuLs q+PQnBsUa0j9GSfWi1LiZpvdmdRWrFgUEYNzkPEK9TRC6MPaohpnqOtdeRcPcCiRqocJFQ nC+kwBqJF0hGhd/y0NHNz1G0IeCgwWmEq2IIuMGwPF0ktGwz+fTfTbuHcTHcQxLwFwOeTv /fe9H5qMCQVtI3hxHwPLIuVteIyg7NuAzOGBA5Zz+JMGeJ6laozLSTSX9NUbwjHJYXSZ1D 1QspgPTT8iRzU2xYCQGObBEddOVP9H+Pz3pnlXDtttSHr+1Zu2mObqNvjJt5gg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668191827; a=rsa-sha256; cv=none; b=Pzzwyi4pzb+dwRF5/a1sgzlEqx5lF93j2eZwleuPBAHDv29gknOxJEoxxaJI6TOqyEalcm tGWz4krSfwRmvFaAIIJN2OGlTM5ADkJoDMkuEoKemCMaccdozgixelxQYrbkpbN7nPHvWH LJzMDIDadCbiy6FciQqYiOZaS+9vnTJp6kLSi5XMCJORXM97KW8yq+SKFr/p5jzh49wsPk tFVEMHt3F5ByeTjRR6DRSkPVo8a/8Ra8HO///dce4uvcaEfyBExCBMZ8WOc2vteusjBluX knpVyKtXOw8oNzjV/vK59VIa5fSe1ZUR2bA6Z3wDONfnzlLLVHIdMrTTEQ85eQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N86r26RbCzsqn; Fri, 11 Nov 2022 18:37:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2ABIb6BS004502; Fri, 11 Nov 2022 18:37:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2ABIb6W0004501; Fri, 11 Nov 2022 18:37:06 GMT (envelope-from git) Date: Fri, 11 Nov 2022 18:37:06 GMT Message-Id: <202211111837.2ABIb6W0004501@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 59c1904fc214 - stable/13 - rs: Fix a use after free. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 59c1904fc214a5c883e5b6d947f0673b53c8f155 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=59c1904fc214a5c883e5b6d947f0673b53c8f155 commit 59c1904fc214a5c883e5b6d947f0673b53c8f155 Author: John Baldwin AuthorDate: 2022-10-05 23:47:40 +0000 Commit: John Baldwin CommitDate: 2022-11-11 18:18:54 +0000 rs: Fix a use after free. Using a pointer passed to realloc() after realloc() even for pointer arithmetic is UB. It also breaks in practice on CHERI systems as the updated value of 'sp' in this case would have had the bounds from the old allocation. This would be much cleaner if elem were a std::vector. Reviewed by: brooks, emaste Reported by: GCC -Wuse-after-free Differential Revision: https://reviews.freebsd.org/D36831 (cherry picked from commit e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf) --- usr.bin/rs/rs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c index 99e48194b3c7..557c5b9f56c0 100644 --- a/usr.bin/rs/rs.c +++ b/usr.bin/rs/rs.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -365,13 +366,15 @@ static char ** getptrs(char **sp) { char **p; + ptrdiff_t offset; + offset = sp - elem; allocsize += allocsize; p = (char **)realloc(elem, allocsize * sizeof(char *)); if (p == NULL) err(1, "no memory"); - sp += (p - elem); + sp = p + offset; endelem = (elem = p) + allocsize; return(sp); }