[9fans] crashing plan9 source boot CD with key combination (buffer overflow)

[9fans] crashing plan9 source boot CD with key combination (buffer overflow)

[Yoann Padioleau]

Hi,

There is another buffer overflow somewhere I think.

The code in kbdputsc() in kbd.c does not look very safe:

		kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can overflow.
		c = latin1(kbscan->kc, kbscan->nk);
		if(c < -1)	/* need more keystrokes */
			return;
		if(c != -1)	/* valid sequence */
			kbdputc(kbdq, c);
		else	/* dump characters */
			for(i=0; i<kbscan->nk; i++)
				kbdputc(kbdq, kbscan->kc[i]);
		kbscan->nk = 0;
		kbscan->collecting = 0;

Actually with the plan9 actual iso, when I boot from the CD
and in rio I open a new terminal and type

<Alt> x ddddddddddddddddddddddddddd <Alt> lc
then I crash the cpu.

Re: [9fans] crashing plan9 source boot CD with key combination (buffer overflow)

[erik quanstrom]

On Fri Jun 20 06:24:25 EDT 2014, pad@fb.com wrote:
good catch, but...

> The code in kbdputsc() in kbd.c does not look very safe:
>
> 		kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can overflow.

this behavior depends entirely on what latin1() does.  if
latin1() will always consume the array before kbscan->nk reaches
some bound, then extra checking here wouldn't change anything.

and that's the case.  (read port/latin1.c for details).

the real problem is that kc should be strlen("x10ffff") = 7.
(sources is wrong here, too, UTFmax*2+1 = 9, which would
allow for x1000ffff, which is not a rune)

- erik

ps: the bug was introduced here

Apr 30 16:05:23 EDT 2013 /n/sourcesdump/2014/0620/plan9/sys/src/9/port/latin1.c 1570

pps: 9atom patch applied /n/atom/patch/applied/collectlen