From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 7475 invoked from network); 30 Mar 2023 08:12:54 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 30 Mar 2023 08:12:54 -0000 Received: (qmail 28071 invoked by uid 550); 30 Mar 2023 08:12:51 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 28034 invoked from network); 30 Mar 2023 08:12:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680163958; x=1682755958; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WE4X5b+FiWc8Bu77IM4vVrsleRbyMKK3r9t54FsdzwQ=; b=PElwg6uwm/LXGpf+sJMLGeIyqEJebNtTWoHM/uOgvSPW25u5GR1CLqO7KvmCrHhReT 83RMERmznGnqa+X7wQGIkeHgQ/+Mi9doOhL63jFjtq7U3N9q1IOYvlkFJE4IxXyqkTb9 HDeBNZOXitohRFl+/Fjr9kEcgkDTqyoCeDT9VaiUh0FAXh6WXB2D1nzPANOIBM9LYxHg zL7CeqKYDzmPfth9FMN7W+2QkIHLjHsiuR2Q0rFJSu/c1XUkPMpFw49RU27tSi7E/r0b VHtJ6HCEMmv/u6soRyT8nRLvPUqr2vbvk+IzkfmXXntvPXskVHis3Qy4QgXQMkG/s7w/ 9i8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680163958; x=1682755958; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WE4X5b+FiWc8Bu77IM4vVrsleRbyMKK3r9t54FsdzwQ=; b=dpMGhUtZt9fwjKPoysDrvRwJY0vYY4HtETFkbZnuObnX0UVIJwO7sWROzdwROA0KZU wrkw6z3D04N7u3GHOYkIfMkltylnA2wlvZZKvTsfgHUZ5xpFXGvBuF8wZ6pAC6PqZy/C SsK5UEYYlgtxkc6uYRiEe4gke1suUv+Woe+/eOn83FNHNIOkA8a/plRTYH7AJJKWUgLw OveJiycYbpBpLHO5V5cDNB2mtM1Me2q0xxqkfSLzvdLgFLmiFudgPgpTAVWhTGT69C1k xdMUfA3FIBhqMvNa0bhDAGUIF+5UrxT25UM4ihMXNrwq5/ifr/yys6RgYjzT0giD4Ffh YE9A== X-Gm-Message-State: AAQBX9fURGB4LYbse8e9ORzH/5s4j57FIBSRDLpdbbUMN53WA4coRS/J Pd/+qLFvT+FSAEapYlK6Ss98vhbxx4dWlw== X-Google-Smtp-Source: AKy350ZR9ofjHXMVsocUXp/OQT3M0F+Djua5FDg8FxlSCXYIhM+rxLgtF+JCO/uY/bOW5UnMZ81lPA== X-Received: by 2002:a17:902:da88:b0:19d:2a3:f019 with SMTP id j8-20020a170902da8800b0019d02a3f019mr1447833plx.1.1680163957649; Thu, 30 Mar 2023 01:12:37 -0700 (PDT) From: Matthias Goergens To: musl@lists.openwall.com Cc: Matthias Goergens Date: Thu, 30 Mar 2023 16:12:20 +0800 Message-Id: <20230330081220.1128115-1-matthias.goergens@gmail.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [musl] [PATCH] Fix UB in getmntent_r on extremely long lines 8974ef2124118e4ed8cad7ee0534b36e5c584c4e tried to fix mishandling of extremely long lines. Here's the relevant code snippet: ``` len = strlen(linebuf); if (len > INT_MAX) continue; for (i = 0; i < sizeof n / sizeof *n; i++) n[i] = len; sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d", n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, &mnt->mnt_freq, &mnt->mnt_passno); } while (linebuf[n[0]] == '#' || n[1]==len); ``` Alas, that introduced undefined behaviour: if the very first line handled in the function is extremely long, `n` stays uninitialised, and thus accessing `n[0]` and `n[1]` is UB. If we handle a few sane lines before hitting a crazy long line, we don't hit C-level undefined behaviour, but the function arguably still does the wrong thing. The man page says: > The getmntent() and getmntent_r() functions return a pointer to the > mntent structure or NULL on failure. So this patch does exactly that: return NULL to inform the caller that an error occured. --- src/misc/mntent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/misc/mntent.c b/src/misc/mntent.c index d404fbe3..d91c4964 100644 --- a/src/misc/mntent.c +++ b/src/misc/mntent.c @@ -43,7 +43,7 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf, int bufle } len = strlen(linebuf); - if (len > INT_MAX) continue; + if (len > INT_MAX) return NULL; for (i = 0; i < sizeof n / sizeof *n; i++) n[i] = len; sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d", n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, -- 2.40.0