From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24557 invoked by alias); 24 Mar 2018 13:59:06 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 42518 Received: (qmail 27950 invoked by uid 1010); 24 Mar 2018 13:59:05 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(205.235.26.22):SA:0(-1.4/5.0):. Processed in 10.85695 secs); 24 Mar 2018 13:59:05 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,SPF_PASS,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1 X-Envelope-From: SRS0=kkOk=GO=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1521899927; bh=ZJoYUBOuPFj98VNVoXk8cgGS+4kwE8CY+Un11SljM5Y=; h=From:To:Subject:Date:From:Subject; b=LkkdcVReSC7UdWhZBH9Ymv2zK3+0K2FqrYZoo5ATN5eYB0W/rZPnbFYPJHMspFyU4gXE8F85awFjfvv4Yu5ZQmT0Ry0+evWod2fpjXAt1VcsArSFHRVhdZj86+qwOb1QE6tMccUrCbece0ayABH+mqlbMxn6mZ63PKKvIpSYfi7FID7cGq6GzdrESHW/p18P44u8/zYHGJw8aGH3t92ZpKSqQ54PVGjP6Aplyw5Rp3sbU0qS2yZ5Yzd5njvAX8MSD+3mFnxidNq6/c9U430nB0cHV7jdQ+dzsGV8hSKzdDvKV1BbxXJx6MG1z8MZll+/IbddhevkEsggfH7jk7SPag== X-YMail-OSG: .3U4WhcVM1ltKvZy3krKovY9cqqBpYIvKGswTQvq1PFVS17x21Kh4zarM2WgKY_ jByGYYvCmyNNlVpS_llWPuZFzOl6XH9yXbH2Vv01Vh7iuGKOQK7usZt2bbqonoIauh1ByjST2me7 .ifXQPw7POBZMwf1DOG.nRmUqVyh74H3JswOO6CoH31r6ZjJ.jYaa9RWY42dMAeCq9WUJcN5inG7 O4wEj4USlqab6O.c0cPLtt5lHsXBYBbUBnSKaaUX531gHxpKaGmwEf__SkGqxNNRdUS5wfkh2.e_ EEY4OHzKV3Fj3zuLinvKrSGZezbjeQXFDgtmFGA7uAHshEeU3GUOiO1Snv8vG2D6nxmirbkz_Dq. L0nFEDT3c65EIvwskuy3mIsDFdFKMOnsQLGk_CCQRHrrZezhPaFzAUHdKBwRh8sTXLwXEy9WtWI2 B21BWfoWXNYprbw99sjLHPkCvdHRnKflsHVH2GaRgm2V5k97ORkUcQZJfEJT0wASSjp8NzftzRrg QqjJzW8ZDEA-- From: Oliver Kiddle To: Zsh workers Subject: PATCH: Stack-based buffer overflow in exec.c:hashcmd() MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7475.1521896557.1@thecus> Date: Sat, 24 Mar 2018 14:02:37 +0100 Message-ID: <7476.1521896557@thecus> The code in exec.c:hashcmd() alocates a PATH_MAX+1 sized buffer but doesn't check for overflows when copying the path strings which come from $PATH. This bug corresponds to CVE-2018-1071 and was reported off-list. The copy is done using strucpy() which is like strcpy(3) except that we increment the pointer for reasons of efficency. We also have a struncpy() function but it is unconditionally copying n bytes before adding a null. This isn't especially helpful - you could just add n to the initial pointer to gain the efficiency and writing n+1 bytes is asking for trouble. So this changes struncpy() to be closer to the strncpy(3) analogue except I don't see the point in padding the whole buffer with nulls. There was only one existing use of struncpy() in exec.c:search_defpath(). diff --git a/Src/exec.c b/Src/exec.c index 35b0bb191..e154d1249 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -934,7 +934,7 @@ hashcmd(char *arg0, char **pp) for (; *pp; pp++) if (**pp == '/') { s = buf; - strucpy(&s, *pp); + struncpy(&s, *pp, PATH_MAX); *s++ = '/'; if ((s - buf) + strlen(arg0) >= PATH_MAX) continue; diff --git a/Src/utils.c b/Src/utils.c index 3b589aa35..998b16220 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n) { char *u = *s; - while (n--) - *u++ = *t++; + while (n-- && (*u++ = *t++)); *s = u; - *u = '\0'; + if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ + *u = '\0'; } /* Return the number of elements in an array of pointers. *