CVS log for src/sys/kern/kern_core.c

Up to [cvs.NetBSD.org] / src / sys / kern

Request diff between arbitrary revisions

Default branch: MAIN
Current tag: rmind-smpnet-base

Revision 1.23 / (download) - annotate - [select for diffs], Tue Apr 22 19:01:47 2014 UTC (9 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, rmind-smpnet-nbase, rmind-smpnet-base, nick-nhusb-base-20160529, nick-nhusb-base-20160422, nick-nhusb-base-20160319, nick-nhusb-base-20151226, nick-nhusb-base-20150921, nick-nhusb-base-20150606, nick-nhusb-base-20150406, nick-nhusb-base, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7
Branch point for: nick-nhusb
Changes since 1.22: +8 -2 lines
Diff to previous 1.22 (colored)

Fix a read-beyond-end string read.

coredump_buildname() copies 'pattern' into 'name', and handles special
characters such as "%n". "%n", if present, will be replaced by p->p_comm.

	error = coredump_buildname(p, name, pattern, MAXPATHLEN);

This function handles overflows, and returns an error when 'name' becomes
larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used
before the error check, with:

	lastslash = strrchr(name, '/');

'name' is not guaranteed to be NUL-terminated, because of the *d = *s in
coredump_buildname(). This strrchr will read a string which is not NUL-
terminated (ie. until finding a '\0' in memory).

'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a
PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN.
Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is
user-settable, like a 10-bytes-sized "0123456789"), 'name' can become
longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the
end of the buffer will make sure 'name' is not NUL-terminated.

    pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0"
              | | | |||||||||||||||||||||||||||||
  ->   name: "012345678901234567890123456789aaaaa" [no \0]
              |         |         |         |||||MAXPATHLEN

Fix it by checking 'error' before calling strrchr.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.