From nobody Wed Oct 05 23:48:32 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjWVS4y09z4TyCd; Wed, 5 Oct 2022 23:48:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjWVS4SRLz3RTW; Wed, 5 Oct 2022 23:48:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665013712; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6FClrL8XRWJ8Bqyl5f62aHyubzBzT6D1bb07lDpmrs4=; b=rc1NveYZhBpSI4DQ1Oqfm1vj6qINp+Fe8eZoh8EGk6aQ3oL3jotQ+VJ3mYtQ6qlhi0+uEX oYJw9/3rkIezhLjVT6XbKGrpiC+DNu8xeMJpBlm2acaPMdg5dmJEZhWIqKkjtlru6TOjRb niaeru+6MMZ1lnLZWFSzWg6rbfj0HhvWQONEbFjxvF2PFJdk1K/WRkQPRajY+0F184XFom PCHs6hvdGw66k/rpmrcBTPCfgMb+nN77T2Vo1IzpnExr7BH+K/SbSjKuCDQzRiy3V9lgKA 1oAp8G4jJHtvA/Jlyc7k27ZZT/JSu6lRwi+0tAq1jGWI0kmbKakE6FDwrO0f5w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MjWVS3Y54z140R; Wed, 5 Oct 2022 23:48:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 295NmWCm087285; Wed, 5 Oct 2022 23:48:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 295NmWqB087284; Wed, 5 Oct 2022 23:48:32 GMT (envelope-from git) Date: Wed, 5 Oct 2022 23:48:32 GMT Message-Id: <202210052348.295NmWqB087284@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: e5f2d5b35e79 - main - rs: Fix a use after free. List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665013712; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6FClrL8XRWJ8Bqyl5f62aHyubzBzT6D1bb07lDpmrs4=; b=HV7qCuxIUrO2XOM8TVMZKLLpsARKYldNpnUZAJKjh6ZA5EaPsGzbVqA6pbGEZmR8WPG1Il hYu2cGgG9e+Cu/O9+qKTK5gMkBWPGgppMBtMRBiLyX+YFQmKAAEBR12IRxx2482ZFHvCKs ZwTmrbzrlS/6JK9Tr9nCMtoRUNv23Ln6NvcSrxjHqPqjeFKgPFAYpfNYVOAviAINr6l0lY 55O9k2GuCJiETLApynNmcNvUN0Fv7jdslImA5JVuWC4562kB1CvFjVK8JFNvvWHujebRVD lKxYveE4DDZujWLGc22UXaeKACdBIqiZHqol/OYawgyLkpHGo5OQKquR/TBJfA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665013712; a=rsa-sha256; cv=none; b=qiia7dDq1bQrpU1DSGsMhgE5J8cM3Es2wsletTkiPRz23atRViYcf5fAbLCVpuwCvErEKA dFAVQRC6ZENwUYmIpyEfWBXSdxvekI5XJIUU9tkoo4F+2IlQvhIfwRp1+cqI8oJnRcWje/ +Bz7et979jq3k2QaaJmsU7d0v5SsRg5g9wgs/gkOiuyzM3pbt/H7WutOK7M8O5bsDv71Lg 5GxLwJXgMHNnENdbnSKKgkbBxzaRIFehlD2Q1HPCyb/HkLB/k/nV83O8V1DltIUTV0IfQe y857CDs5MQNEiz52TTrM6TuSI3/LJgxzzmJfPexB53fY/mEMKdZYT11O/rT2EA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf commit e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf Author: John Baldwin AuthorDate: 2022-10-05 23:47:40 +0000 Commit: John Baldwin CommitDate: 2022-10-05 23:47:40 +0000 rs: Fix a use after free. Using a pointer passed to realloc() after realloc() even for pointer arithmetic is UB. It also breaks in practice on CHERI systems as the updated value of 'sp' in this case would have had the bounds from the old allocation. This would be much cleaner if elem were a std::vector. Reviewed by: brooks, emaste Reported by: GCC -Wuse-after-free Differential Revision: https://reviews.freebsd.org/D36831 --- usr.bin/rs/rs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c index 99e48194b3c7..557c5b9f56c0 100644 --- a/usr.bin/rs/rs.c +++ b/usr.bin/rs/rs.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -365,13 +366,15 @@ static char ** getptrs(char **sp) { char **p; + ptrdiff_t offset; + offset = sp - elem; allocsize += allocsize; p = (char **)realloc(elem, allocsize * sizeof(char *)); if (p == NULL) err(1, "no memory"); - sp += (p - elem); + sp = p + offset; endelem = (elem = p) + allocsize; return(sp); }