From: Oliver Kiddle <okiddle@yahoo.co.uk>
To: Zsh workers <zsh-workers@zsh.org>
Subject: PATCH: Stack-based buffer overflow in exec.c:hashcmd()
Date: Sat, 24 Mar 2018 14:02:37 +0100 [thread overview]
Message-ID: <7476.1521896557@thecus> (raw)
The code in exec.c:hashcmd() alocates a PATH_MAX+1 sized buffer but
doesn't check for overflows when copying the path strings which come
from $PATH. This bug corresponds to CVE-2018-1071 and was reported
off-list.
The copy is done using strucpy() which is like strcpy(3) except that
we increment the pointer for reasons of efficency. We also have a
struncpy() function but it is unconditionally copying n bytes before
adding a null. This isn't especially helpful - you could just add n
to the initial pointer to gain the efficiency and writing n+1 bytes
is asking for trouble. So this changes struncpy() to be closer to the
strncpy(3) analogue except I don't see the point in padding the whole
buffer with nulls. There was only one existing use of struncpy() in
exec.c:search_defpath().
diff --git a/Src/exec.c b/Src/exec.c
index 35b0bb191..e154d1249 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -934,7 +934,7 @@ hashcmd(char *arg0, char **pp)
for (; *pp; pp++)
if (**pp == '/') {
s = buf;
- strucpy(&s, *pp);
+ struncpy(&s, *pp, PATH_MAX);
*s++ = '/';
if ((s - buf) + strlen(arg0) >= PATH_MAX)
continue;
diff --git a/Src/utils.c b/Src/utils.c
index 3b589aa35..998b16220 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n)
{
char *u = *s;
- while (n--)
- *u++ = *t++;
+ while (n-- && (*u++ = *t++));
*s = u;
- *u = '\0';
+ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
+ *u = '\0';
}
/* Return the number of elements in an array of pointers. *
reply other threads:[~2018-03-24 13:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7476.1521896557@thecus \
--to=okiddle@yahoo.co.uk \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).