Up to [cvs.NetBSD.org] / src / sys / kern
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: rmind-smpnet-base
Revision 1.23 / (download) - annotate - [select for diffs], Tue Apr 22 19:01:47 2014 UTC (9 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: yamt-pagecache-base9,
tls-maxphys-base,
tls-earlyentropy-base,
rmind-smpnet-nbase,
rmind-smpnet-base,
nick-nhusb-base-20160529,
nick-nhusb-base-20160422,
nick-nhusb-base-20160319,
nick-nhusb-base-20151226,
nick-nhusb-base-20150921,
nick-nhusb-base-20150606,
nick-nhusb-base-20150406,
nick-nhusb-base,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-1,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE,
netbsd-7-0,
netbsd-7
Branch point for: nick-nhusb
Changes since 1.22: +8 -2
lines
Diff to previous 1.22 (colored)
Fix a read-beyond-end string read. coredump_buildname() copies 'pattern' into 'name', and handles special characters such as "%n". "%n", if present, will be replaced by p->p_comm. error = coredump_buildname(p, name, pattern, MAXPATHLEN); This function handles overflows, and returns an error when 'name' becomes larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used before the error check, with: lastslash = strrchr(name, '/'); 'name' is not guaranteed to be NUL-terminated, because of the *d = *s in coredump_buildname(). This strrchr will read a string which is not NUL- terminated (ie. until finding a '\0' in memory). 'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN. Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is user-settable, like a 10-bytes-sized "0123456789"), 'name' can become longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the end of the buffer will make sure 'name' is not NUL-terminated. pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0" | | | ||||||||||||||||||||||||||||| -> name: "012345678901234567890123456789aaaaa" [no \0] | | | |||||MAXPATHLEN Fix it by checking 'error' before calling strrchr.