From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3629 invoked by alias); 18 Aug 2014 03:06:55 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33027 Received: (qmail 20801 invoked from network); 18 Aug 2014 03:06:43 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.2 Date: Mon, 18 Aug 2014 10:56:20 +0800 From: Han Pingtian To: zsh-workers@zsh.org Subject: Re: zsh 5.0.5-dev-2 Message-ID: <20140818025620.GA4198@localhost.localdomain> Mail-Followup-To: zsh-workers@zsh.org References: <29575.1407969294@thecus.kiddle.eu> <20140814093442.1a74c5b7@pwslap01u.europe.root.pri> <20140814103227.74c7d168@pwslap01u.europe.root.pri> <140814092045.ZM18007@torch.brasslantern.com> <20140814205429.44baf512@pws-pc.ntlworld.com> <140814214412.ZM4177@torch.brasslantern.com> <20140815112316.GA17063@localhost.localdomain> <140815101701.ZM5288@torch.brasslantern.com> <20140816003504.GB17063@localhost.localdomain> <140817103030.ZM12944@torch.brasslantern.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <140817103030.ZM12944@torch.brasslantern.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14081802-7182-0000-0000-00000038B187 On Sun, Aug 17, 2014 at 10:30:30AM -0700, Bart Schaefer wrote: > On Aug 16, 8:35am, Han Pingtian wrote: > } > } I have tried PATH_MAX*3 and PATH_MAX*3 - 1, they both can fix the > } buffer overflow here. I also tried PATH_MAX*2 + 1/2/3, they don't > } fix this problem. > > I suspect Fortify is reporting a potential error rather than a real > one, because we'd presumably have seen other problems before this if > "cd .." actually caused an 8kb buffer on the stack to overflow. > > The whole symlink-chasing code is probably ripe to be rewritten with > zsh-heap (or even malloc + static pointers) allocation unless we have > reason to beleive that's a serious performance issue. > > For the nonce I'll just commit xbuf2[PATH_MAX*3]. FYI. I have tried to print the length of xbuf and *pp before the sprintf(). Looks like when overflow being triggered, the length of xbuf is 8188, and the length of *pp is 10. After changing xbuf2's length to PATH_MAX*3, the result is the same: when zsh print zsh: path expansion failed, using root directory the length of xbuf is 8188 and length of *pp is 10. All the tests was performed on top of 2be0d8bdef401b6bca0c80a7bd78d658e862e38e, I haven't yet merged your new commit. Thanks.