[Bug 206552] [libc] Possible buffer overflow after flushing line-buffered files when only partial data was written
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jan 24 01:20:14 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206552
Bug ID: 206552
Summary: [libc] Possible buffer overflow after flushing
line-buffered files when only partial data was written
Product: Base System
Version: 10.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: mccoy at doctor.com
Created attachment 166034
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=166034&action=edit
A test program that demonstrates the buffer overflow
Please see attached file evil.c for a possible scenario where it's possible to
trigger buffer overflow.
It uses a somewhat contrived example of non-blocking pipes as an underlying
file descriptor, mainly because it's easy to trigger (partially) failed writes.
The defect can be located in the code /usr/src/lib/libc/stdio/fflush.c and
function __sflush. Line-buffered files where write(s) has partially succeeded
will have their internal write pointer increased, but not getting a
corresponding write space decrease.
(so, the defect is: if fp is a FILE *, then fp->_p is increased but fp->_w is
NOT decreased in this situation)
Sample output on my FREEBSD 10.2-RELEASE-p7 amd64 machine:
zsh 1311 % cc evil.c -o evil && ./evil
rc from fread(1): 1
rc from fwrite(1): 1
rc from fwrite(1021): 1021
rc from fflush: -1
rc from fwrite(1): 1
rc from fwrite(4): 4
Canary overwritten: 97 65 98 66
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list