From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25107 invoked by alias); 24 Mar 2018 13:59:07 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 42519 Received: (qmail 26763 invoked by uid 1010); 24 Mar 2018 13:59:07 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(205.235.26.22):SA:0(-0.5/5.0):. Processed in 12.473228 secs); 24 Mar 2018 13:59:07 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,SPF_PASS,T_DKIM_INVALID, T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1 X-Envelope-From: SRS0=kkOk=GO=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1521899926; bh=vApPHHm9YpvR7LhavlokzzU0PtOxoF/o9Cm5v5YfESg=; h=From:To:Subject:Date:From:Subject; b=ZEZd34UoOS9ZHUkkZE9Ec0RUfqioS3VCo7SkwNNxLEmmcRjJYSU31XFJXxivgO7yt65PyGX3B4HAlmKbRAfjWx7j9Bp0ds3TXslCp31XFodrKe+rVFP7cNMweziAWciI7ZwUmlQjEl3IQggqDSKEbt1hUY13q+0vHRPj4Isd+qCiHCZ4ng1PFnM3GbiSpMVfH6GMBQ7ZfeB9KBm+bVl1VvV9dw/sLx/e8fUmAZaqsqcoytkAKzx+FZs/wjXBbPokwuP6su0FDOqyUaKBMXm5dMYc0PZpdhpQ1d/WsVorY3pH+lcicRY4/jkLmgIREc833Gr8ukFZyWIYD51wO02Vkg== X-YMail-OSG: 2bLgapkVM1lpSSyWcpWZJ.aK2SgUYQkgWDEXcqvwDT6qxhsSbFxaBsiPrDhyhMP tSULh3hmgbQ5tsPvb12Rer6XxLYpveQ49AZIBbGUfsmh5GMoOgVH02MLYCBqV0c1W2POGRAVmcI3 LqvdObGCd6YAsMrHx3CDurLUw8GKvO.6oCRxIQxxPq33tILlMdDa6m1J3Pyh5FDrAc7HpiktXEKH Gk6OaBPhIX4HeD95YkZgD_7A_DEFur3t_FLejI5WP5DGbgy0d0lhyJHjM2vPzctpmWuTxcIABYtC fEf_XHQZ7oa4xMSiCXCmAWpKJb4558sO3dx_VldqDiQ9hDIEI357kugIO7xXWFFGxlLUAJRtkxfV MrvoZKwpTTET3tVIO5DPelaB3nEjTpaBCX1.0fRGub1Xr6JbbtMJYSt2Vq4nPYE9kVNUffa0GVe3 mtqmav7fC4aePe1Byl.K2HrHMaxWfBSGCRyu7J2u..GkCdzE_5EMxg1S0Ps4vt7fIZbaRiZkKR7V WfclwO68rxw-- From: Oliver Kiddle To: Zsh workers Subject: PATCH: Stack-based buffer overflow in gen_matches_files() at compctl.c MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7489.1521896558.1@thecus> Date: Sat, 24 Mar 2018 14:02:38 +0100 Message-ID: <7490.1521896558@thecus> compctl.c:gen_matches_files() declares a local PATH_MAX-sized buffer which is used for storing the completion prefix along with completion candidate directories. It doesn't check that the current path actually fits into the buffer, however. This bug corresponds to CVE-2018-1083 and was reported off-list. The patch adds a check in three places. This is tricky to test. I've managed to check all three branches - it now drops the completion candidate from consideration. But it would be good to have some more eyes on this. In particular, might any of the tests be off-by-one? Note that this issue only affects code that the vast majority of users wouldn't exercise. In a minimally configured zsh setup (using compinit) filename completion is handled by different code. Oliver diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c index e9d165780..87d13afc1 100644 --- a/Src/Zle/compctl.c +++ b/Src/Zle/compctl.c @@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) if (prpre && *prpre) { pathpref = dupstring(prpre); unmetafy(pathpref, &pathpreflen); + if (pathpreflen > PATH_MAX) + return; /* system needs NULL termination, not provided by unmetafy */ pathpref[pathpreflen] = '\0'; } else { @@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) * the path buffer by appending the filename. */ ums = dupstring(n); unmetafy(ums, ¨en); + if (umlen + pathpreflen + 1 > PATH_MAX) + continue; memcpy(q, ums, umlen); q[umlen] = '\0'; /* And do the stat. */ @@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) /* We have to test for a path suffix. */ int o = strlen(p), tt; + if (o + strlen(psuf) > PATH_MAX) + continue; /* Append it to the path buffer. */ strcpy(p + o, psuf);