gzip memory corruption
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Jul 9 03:34:35 UTC 2009
Xin, good day.
Wed, Jul 08, 2009 at 05:05:44PM -0700, Xin LI wrote:
> >>> The offending code lays in the function file_compress:
> >>>> /* Add (usually) .gz to filename */
> >>>> if ((size_t)snprintf(outfile, outsize, "%s%s",
> >>>> file, suffixes[0].zipped) >= outsize)
> >>>> memcpy(outfile - suffixes[0].ziplen - 1,
> >>>> suffixes[0].zipped, suffixes[0].ziplen + 1);
> >> The memcpy() call looks like a complete madness: it will write before
> >> the beginning of the 'outfile', so it will be buffer underflow in any
> >> case (unless I am terribly mistaken and missing some obvious point).
> >
> >> I'd change the above code to warn and return if snprintf will discard
> >> some trailing characters, the patch is attached.
>
> I have attached another possible fix, which catches the problem when
> parsing the command line. The point is that, I think we really want to
> catch bad input as early as possible.
Yes, it is good to catch it here too.
> Index: gzip.c
> ===================================================================
> --- gzip.c (?????? 195435)
> +++ gzip.c (????????????)
> @@ -372,6 +372,8 @@
> case 'S':
> len = strlen(optarg);
> if (len != 0) {
> + if (len >= PATH_MAX)
> + errx(1, "incorrect suffix: '%s'", optarg);
> suffixes[0].zipped = optarg;
> suffixes[0].ziplen = len;
> } else {
But the place with the memcpy() should be patched too. Two reasons:
- suffix could not (yet) overflow PATH_MAX, but filename + suffix --
can;
- I am really worried about the usage of memcpy with underflow;
I had tried to study the reasons for it via NetBSD CVS, but
it just appeared one day and the reason for going to
'outfile - suffixes[0].ziplen - 1' (with .gz its outfile - 4)
are unknown; I am still taking this as the programming error.
So, unless you know why we're underflowing the passed pointer,
the memcpy block should be patched too, for future safety and
code correctness.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
More information about the freebsd-security
mailing list