From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/11622 Path: news.gmane.org!.POSTED!not-for-mail From: Leah Neukirchen Newsgroups: gmane.linux.lib.musl.general Subject: Out-of-bounds read in twobyte_memmem Date: Thu, 29 Jun 2017 15:37:19 +0200 Message-ID: <87r2y2vrsg.fsf@gmail.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1498743460 19496 195.159.176.226 (29 Jun 2017 13:37:40 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 29 Jun 2017 13:37:40 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) To: musl@lists.openwall.com Original-X-From: musl-return-11635-gllmg-musl=m.gmane.org@lists.openwall.com Thu Jun 29 15:37:36 2017 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1dQZdV-0004jn-1h for gllmg-musl@m.gmane.org; Thu, 29 Jun 2017 15:37:33 +0200 Original-Received: (qmail 7726 invoked by uid 550); 29 Jun 2017 13:37:34 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 7682 invoked from network); 29 Jun 2017 13:37:32 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=WMMxjPCizetUiwYh5yO3OFk5UEpRifxu24rtSiYGv4g=; b=MESGtwUuFUQzWYJWrkd62xb1EMaGnorYLJrittTPypfHnb2t1/XxmuUQbqrI4ujRfK OPLyQGb+/Z0qDBfU/IgL4l++etlWWfceZ4It72ZfVD27TdjnKvq2eyI6Zl2TmOqE5w7X R3j29Co+H6YPpPdf0ftYIhVx0V64yFrrvSFy2ikptw2OdAH5HY6WaRUP7BfdlV68wSGZ eZHk8phAoz6QzKmXYWI5kEtXqLTAMMFxmzGp/K3UaUi1VovDvxPAEXsrbRa4SBDw5NOo D2azmB4ehHyNc7YfYDjxXu4LE2rxXGEC5FgHMn3gvoGp2FVY/+JkMQsJ6q7G0U+43ohJ vE+A== X-Gm-Message-State: AKS2vOzxALqDB/EcnR3p97BTY+3o9kCPWdoXezyPOZlTpvzlJidQ5oxE SsxXdZEuJJE/3wru X-Received: by 10.223.179.65 with SMTP id k1mr23485385wrd.5.1498743441127; Thu, 29 Jun 2017 06:37:21 -0700 (PDT) Xref: news.gmane.org gmane.linux.lib.musl.general:11622 Archived-At: Hello, As mentioned in #musl, twobyte_memmem in memmem.c does an out of bounds read to the byte after the final byte of the buffer, when it updates hw using *++h before checking k. Similar code in strstr is unproblematic since there it will only read the NUL terminator. Proposed solution is to rewrite the for-loop to make control flow order explicit, but there may be a more idiomatic solution than this: static char *twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) { uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1]; h++; k--; for (;;) { if (hw == nw) return (char *)h-1; if (!--k) return 0; hw = hw<<8 | *++h; } return 0; } This bug was detected by @mourais during development of mblaze on OpenBSD, using MALLOC_OPTIONS=G. Thanks, -- Leah Neukirchen http://leah.zone