From: Tobias Stoeckmann <tobias@stoeckmann.org>
To: util-linux@vger.kernel.org
Subject: [PATCH] text-utils/ul: Fix buffer overflow
Date: Thu, 8 Sep 2016 21:19:22 +0200 [thread overview]
Message-ID: <20160908191922.GA18991@localhost> (raw)
The text-utility ul can run into a buffer overflow on very long lines.
See this proof of concept how to reproduce the issue:
$ dd if=/dev/zero bs=1M count=10 | tr '\000' '\041' > poc.txt
$ echo -ne '\xe\x5f\x8\x5f\x61\x2\xf\x5f\x8\x5f' | dd of=poc.txt conv=notrunc
$ ul -i poc.txt > /dev/null # output would take ages
Segmentation fault
$ _
The problem manifests by using alloca with "maxcol", which can be as
large as INT_MAX, based on the input line.
A very long line (> 8 MB) with modes must be supplied to ul, as seen in
my proof of concept byte sequence above.
It is rather easy to fix this issue: allocate space on the heap instead.
maxcol could overflow here, but in that case no system will have enough
space to handle the request, properly ending ul through an err() call.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
text-utils/ul.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/text-utils/ul.c b/text-utils/ul.c
index 6721974..3fd0b6a 100644
--- a/text-utils/ul.c
+++ b/text-utils/ul.c
@@ -402,11 +402,7 @@ static void flushln(void)
static void overstrike(void)
{
register int i;
-#ifdef __GNUC__
- register wchar_t *lbuf = __builtin_alloca((maxcol + 1) * sizeof(wchar_t));
-#else
- wchar_t lbuf[BUFSIZ];
-#endif
+ register wchar_t *lbuf = xmalloc((maxcol + 1) * sizeof(wchar_t));
register wchar_t *cp = lbuf;
int hadbold=0;
@@ -439,16 +435,13 @@ static void overstrike(void)
for (cp = lbuf; *cp; cp++)
putwchar(*cp == '_' ? ' ' : *cp);
}
+ free(lbuf);
}
static void iattr(void)
{
register int i;
-#ifdef __GNUC__
- register wchar_t *lbuf = __builtin_alloca((maxcol+1)*sizeof(wchar_t));
-#else
- wchar_t lbuf[BUFSIZ];
-#endif
+ register wchar_t *lbuf = xmalloc((maxcol + 1) * sizeof(wchar_t));
register wchar_t *cp = lbuf;
for (i = 0; i < maxcol; i++)
@@ -465,6 +458,7 @@ static void iattr(void)
*cp = 0;
fputws(lbuf, stdout);
putwchar('\n');
+ free(lbuf);
}
static void initbuf(void)
--
2.10.0
next reply other threads:[~2016-09-08 19:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-08 19:19 Tobias Stoeckmann [this message]
2016-09-11 19:47 ` [PATCH] text-utils/ul: Fix buffer overflow Shaun Tancheff
2016-09-29 9:59 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160908191922.GA18991@localhost \
--to=tobias@stoeckmann.org \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.