[Bug 206177] Out-of-bounds read in wcsncat(3)

Tue Jan 12 22:40:10 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206177

            Bug ID: 206177
           Summary: Out-of-bounds read in wcsncat(3)
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cherepan at mccme.ru

Created attachment 165467
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165467&action=edit
Patch

The wcsncat function could read several bytes behind the end of its input
buffer. This could lead to a crash if the buffer happens to immediately precede
an unmapped page.

According to C11, 7.29.4.3.2, wcsncat(s1, s2, n) will append s2 to s1 but will
stop as soon as null wide char is met or n wide chars are read. In particular,
s2 is not required to be a null-terminated wide string.
(The man page[1] for wcsncat refers to the man page[2] for strncat which
erroneously talks about strings only. I filed [3] about it.)

When s2 is an array containing exactly n non-null wide chars, FreeBSD
implementation of wcsncat will read one extra wide char. The code[4] for
traversing the source array:

50              r = s2;
51              while (*r && n) {
52                      *q++ = *r++;
53                      n--;
54              }

"n" in the loop controlling expression makes sure that the loop is terminated
after n chars are copied but the dereference in "*r" happens before the "n"
check. For example, there would be one dereference when n=0.
Calling the function as wcsncat(s1, NULL, 0) will crash. (Formally speaking,
passing NULL as s2 is invalid in C11, a valid crashing testcase is attached.)

To fix it, it's enough to swap the checks in the while loop (patch attached).
Or all the code could be changed to match strncat.

The issue has security consequences but the function is rarely used so severity
seems very low.

Other BSDs are affected.

[1]
https://svnweb.freebsd.org/base/head/lib/libc/string/wmemchr.3?revision=251069&view=markup
[2]
https://svnweb.freebsd.org/base/head/lib/libc/string/strcat.3?revision=262890&view=markup
[3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206176
[4]
https://svnweb.freebsd.org/base/head/lib/libc/string/wcsncat.c?revision=188080&view=markup#l50

-- 
You are receiving this mail because:
You are the assignee for the bug.