[Bug 206552] [libc] Possible buffer overflow after flushing line-buffered files when only partial data was written

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206552

            Bug ID: 206552
           Summary: [libc] Possible buffer overflow after flushing
                    line-buffered files when only partial data was written
           Product: Base System
           Version: 10.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: mccoy at doctor.com

Created attachment 166034
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=166034&action=edit
A test program that demonstrates the buffer overflow

Please see attached file evil.c for a possible scenario where it's possible to
trigger buffer overflow.

It uses a somewhat contrived example of non-blocking pipes as an underlying
file descriptor, mainly because it's easy to trigger (partially) failed writes.

The defect can be located in the code /usr/src/lib/libc/stdio/fflush.c and
function __sflush. Line-buffered files where write(s) has partially succeeded
will have their internal write pointer increased, but not getting a
corresponding write space decrease.

(so, the defect is: if fp is a FILE *, then fp->_p is increased but fp->_w is
NOT decreased in this situation)

Sample output on my FREEBSD 10.2-RELEASE-p7 amd64 machine:

zsh 1311 % cc evil.c -o evil && ./evil
rc from fread(1): 1
rc from fwrite(1): 1
rc from fwrite(1021): 1021
rc from fflush: -1
rc from fwrite(1): 1
rc from fwrite(4): 4
Canary overwritten: 97 65 98 66

-- 
You are receiving this mail because:
You are the assignee for the bug.