Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16460
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Jessica Clarke <jrtc27@jrtc27.com> |
| Newsgroups | gnu.bash.bug |
| Subject | [PATCH] unwind_prot.c: Avoid buffer overflow |
| Date | Sat, 27 Jun 2020 22:14:38 +0100 |
| Lines | 35 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.527.1593295307.2574.bug-bash@gnu.org> (permalink) |
| References | <20200627211438.40013-1-jrtc27@jrtc27.com> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | usenet.stanford.edu 1593295308 7490 209.51.188.17 (27 Jun 2020 22:01:48 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | Jessica Clarke <jrtc27@jrtc27.com> |
| To | bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=jrtc27.com; s=gmail.jrtc27.user; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/0STzMfhOoQ3B2pRiYjq3GL7bj0V5ERQEwTA0okP7QY=; b=n9q4bAbe8efWAz7h6BLJRX/po3gjShLIvE8zCVKmGCnjzUx8j87NORW/nQtSnBdIlC m0j4hLGD8jw2M+/BT1Q9O4yCzqlug+xX1mjrj8dTBJjg6kZcV4o9CrwQZwaqNVOGa3Se wNSnZ1RKe48F4TslJtUHBd4Sdg8bh/n32TlQ9SN7OVs5R91sHmiP0bJuMMTmNcJsLd1D o6vaecoeaIZSowW5WHZlUWMIHSXRXNJ5HdxvDpp55BAaZoxx65v0c9gUw3PlETN4Rd6s wgSCD8IrRlfOMSjaRBfT2U6aUthK+hgW+XNGWLGP2PFGbJEJTzMNl+2b7Vv031It3WaG OURg== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/0STzMfhOoQ3B2pRiYjq3GL7bj0V5ERQEwTA0okP7QY=; b=CTi+Md42zFCVBACTTLraKqsaobAP7BMIcaIxlrcHpUMI7MjR0YPBVyQh4hzT59SWSG z73VAj11VHJ0t6q/0YA4g1CBpQDDURhh3nmYtV43+43tnVI14Xsu5F2ZVqfmq3hVlSC3 F0DQNqDTbfLW8ApnbPpnyqvjrpUjQae0VQ18mId7kmlvZpGvRFdr0UKa1Mwa7Qn3esxg H6LH9qbnV4ibIxWPOAv71RhMbYFmKp4OVmkOKi54qhFZ9oaRnf1o5t5nRFvWoaqij6WX UxCPWPAf5nrIj++8VxfBJE/V/xo7I44Vv39yFTKWn3YA5IH0zdbBTBw7YbZ4Y8OvCW40 8yig== |
| X-Gm-Message-State | AOAM531U81iGAA5kj/25rhmSrwvMgDCoogCQfakLiDgBHm1VAtfb6UXD kALob2eKOCXUJGQoIY+zkohpmWcdJSc= |
| X-Google-Smtp-Source | ABdhPJyko2egfuRAQOfCUX3T8Tzio7oqzIUXtCoPmS0ZvdjPkpWD+yYSpNh10T2itquvh7ZQUT0mBA== |
| X-Received | by 2002:a7b:c84d:: with SMTP id c13mr9732196wml.170.1593292480911; Sat, 27 Jun 2020 14:14:40 -0700 (PDT) |
| X-Mailer | git-send-email 2.20.1 |
| Received-SPF | pass client-ip=2a00:1450:4864:20::342; envelope-from=jrtc27@jrtc27.com; helo=mail-wm1-x342.google.com |
| X-detected-operating-system | by eggs.gnu.org: No matching host in p0f cache. That's all we know. |
| X-Spam_score_int | -20 |
| X-Spam_score | -2.1 |
| X-Spam_bar | -- |
| X-Spam_report | (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN |
| X-Spam_action | no action |
| X-Mailman-Approved-At | Sat, 27 Jun 2020 18:01:45 -0400 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.23 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <https://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <20200627211438.40013-1-jrtc27@jrtc27.com> |
| Xref | csiph.com gnu.bash.bug:16460 |
Show key headers only | View raw
In unwind_protect_mem_internal, we must make sure to allocate at least a full UNWIND_ELT, even if the required size for desired_setting is less than the remaining padding in UNWIND_ELT. Otherwise when we come to memset it with 0xdf in unwind_frame_discard_internal we will overflow the allocation. On existing 32-bit and 64-bit architectures, this padding happens to be only 4 bytes, and no users of this function call it with a size smaller than 4 (unwind_protect_short and unwind_protect_string are both currently unused). However, we should not rely on this as this could change in future. Moreover on CHERI-RISC-V, pointers are replaced with capabilities, 16-byte fat pointers, and the padding now ends up being 12 bytes, violating this assumption, but also trapping on this detected buffer overflow by virtue of its fine-grained bounds. --- unwind_prot.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/unwind_prot.c b/unwind_prot.c index c9196dc1..37429924 100644 --- a/unwind_prot.c +++ b/unwind_prot.c @@ -349,6 +349,8 @@ unwind_protect_mem_internal (var, psize) size = *(int *) psize; allocated = size + offsetof (UNWIND_ELT, sv.v.desired_setting[0]); + if (allocated < sizeof (UNWIND_ELT)) + allocated = sizeof (UNWIND_ELT); elt = (UNWIND_ELT *)xmalloc (allocated); elt->head.next = unwind_protect_list; elt->head.cleanup = (Function *) restore_variable; -- 2.20.1
Back to gnu.bash.bug | Previous | Next | Find similar
[PATCH] unwind_prot.c: Avoid buffer overflow Jessica Clarke <jrtc27@jrtc27.com> - 2020-06-27 22:14 +0100
csiph-web