git: b7b447fd4ca3 - main - When parsing a rule to rotate log files on a specific week day, parseDWM() can advance the time to the next week. If the next week is in the next month, then tm_mon is incremented. However, the increment was failing to handle the wraparound from December to January, so when parsing a rule during the last week of the December, the month would advance to month 12. This triggered an out-of-bounds read of the mtab[] array in days_pmonth() after parseDWM() returned. To fix, this change resets the month to January and increment the year when the month increment wraps.

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Garance A Drosehn <gad_at_FreeBSD.org>
Date: Thu, 30 Dec 2021 21:03:36 UTC

The branch main has been updated by gad:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7b447fd4ca327faa99b2f16e6cbd61c86c75f04

commit b7b447fd4ca327faa99b2f16e6cbd61c86c75f04
Author:     Garance A Drosehn <gad@FreeBSD.org>
AuthorDate: 2021-12-30 20:45:13 +0000
Commit:     Garance A Drosehn <gad@FreeBSD.org>
CommitDate: 2021-12-30 20:45:13 +0000

    When parsing a rule to rotate log files on a specific week day,
    parseDWM() can advance the time to the next week. If the next week is
    in the next month, then tm_mon is incremented. However, the increment
    was failing to handle the wraparound from December to January, so when
    parsing a rule during the last week of the December, the month would
    advance to month 12. This triggered an out-of-bounds read of the
    mtab[] array in days_pmonth() after parseDWM() returned.  To fix,
    this change resets the month to January and increment the year when
    the month increment wraps.
    
    The default rule for /var/log/weekly.log triggers this during the
    last week of December each year.
    Reported by:    CHERI
    Obtained from:  CheriBSD
    Reviewed by:    jhb
    Sponsored by:   The University of Cambridge, Google Inc.
    Differential Revision:  <https://reviews.freebsd.org/D33687>
---
 usr.sbin/newsyslog/ptimes.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr.sbin/newsyslog/ptimes.c b/usr.sbin/newsyslog/ptimes.c
index b7b993f01959..d54ca1d40050 100644
--- a/usr.sbin/newsyslog/ptimes.c
+++ b/usr.sbin/newsyslog/ptimes.c
@@ -279,6 +279,10 @@ parseDWM(struct ptime_data *ptime, const char *s)
 				if (tm.tm_mday > daysmon) {
 					tm.tm_mon++;
 					tm.tm_mday = tm.tm_mday - daysmon;
+					if (tm.tm_mon >= 12) {
+						tm.tm_mon = 0;
+						tm.tm_year++;
+					}
 				}
 			}
 			break;