[Bug 201657] Buffer overflow in libdtrace

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201657

            Bug ID: 201657
           Summary: Buffer overflow in libdtrace
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: pfg at FreeBSD.org

While testing with the experimental version of FORTIFY_SOURCE from GSoC 2015,
This issue was found on MIPS (with the native gcc 4.2.1).
...
===> cddl/lib/libdtrace (all)
cc1: warnings being treated as errors
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:
In function 'dt_printf_format':
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:1562:
warning: call to __snprintf_chk will always overflow destination buffer
--- dt_printf.So ---
*** [dt_printf.So] Error code 1

make[7]: stopped in /scratch/tmp/pfg/head/cddl/lib/libdtrace
1 error
...

For comparison, coverity found this:

1561                if (width != 0)
1562                        f += snprintf(f, sizeof (format), "%d",
ABS(width));
1563

60. Condition prec > 0, taking true branch
1564                if (prec > 0)

CID 1018005 (#1 of 1): Out-of-bounds access (OVERRUN)61. overrun-buffer-arg:
Overrunning buffer pointed to by f of 64 bytes by passing it to a function
which accesses it at byte offset 70 using argument 64U. [Note: The source code
implementation of the function has been overridden by a builtin model.]
1565                        f += snprintf(f, sizeof (format), ".%d", prec);
1566
...

-- 
You are receiving this mail because:
You are the assignee for the bug.