From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13029 Path: news.gmane.org!.POSTED!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: overflow() at stdlib.h Date: Thu, 12 Jul 2018 20:14:44 -0400 Message-ID: <20180713001444.GZ1392@brightrain.aerifal.cx> References: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: blaine.gmane.org 1531440778 20671 195.159.176.226 (13 Jul 2018 00:12:58 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 13 Jul 2018 00:12:58 +0000 (UTC) User-Agent: Mutt/1.5.21 (2010-09-15) To: musl@lists.openwall.com Original-X-From: musl-return-13045-gllmg-musl=m.gmane.org@lists.openwall.com Fri Jul 13 02:12:54 2018 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1fdlhc-0005GW-9n for gllmg-musl@m.gmane.org; Fri, 13 Jul 2018 02:12:52 +0200 Original-Received: (qmail 19684 invoked by uid 550); 13 Jul 2018 00:14:58 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 19665 invoked from network); 13 Jul 2018 00:14:57 -0000 Content-Disposition: inline In-Reply-To: Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:13029 Archived-At: On Thu, Jul 12, 2018 at 07:55:56PM +0530, m0rtal f!w wrote: > Team, > > File: stdlib.h#L:113 > > i.e > char *realpath (const char *__restrict, char *__restrict); > > According to the documentation of realpath() the output buffer needs to be > at least of size PATH_MAX specifying output buffers large enough to handle > the maximum-size possible result from path manipulation functions. (In that > instance, buf's size comes from uv__fs_pathmax_size(). That function > attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(3) > docs) There is no provision in the specification of realpath for use of pathconf or other facilities for determining a maximum buffer size; the resolved_name buffer argument must either point to an array of at least PATH_MAX size, or must be a null pointer, in which case realpath will allocate storage. Only the latter option when the implementation does not define PATH_MAX, but musl always defines PATH_MAX. > But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is > used. I don't understand what you mean by "is used" here. The only file you cited is header declarations only, no code, and the declaration is exactly the only thing it's permitted to be (the one mandated by the standard). > Passing an inadequately-sized output buffer to a path manipulation function > can result in a buffer overflow. Such functions include realpath() > readlink() PathAppend() and others. > > Request team to have a look and validate. If an application is not passing an adequately-sized (note: this means PATH_MAX, not anything else!) buffer, that is an application bug and the application has undefined behavior. Rich