aboutsummaryrefslogtreecommitdiff
path: root/init.d/dumpon.in
diff options
context:
space:
mode:
authorSergei Trofimovich <slyfox@gentoo.org>2017-05-30 21:58:32 +0100
committerWilliam Hubbs <w.d.hubbs@gmail.com>2017-05-30 16:21:23 -0500
commit0ddee9b7d2b8dea810e252ca6a95c457876df120 (patch)
tree66b78d52fc276156567ef4458c2bf6b23e9a79e4 /init.d/dumpon.in
parent688566c535111a141f77caf88db12a4338544f7b (diff)
openrc-init: fix buffer overflow in init.ctl
How to reproduce 1-byte overflow: ``` $ FEATURES=-test CFLAGS="-fsanitize=address -O0 -ggdb3" emerge -1 openrc ================================================================= ==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0efd8710 at pc 0x000000402076 bp 0x7fff0efd7d50 sp 0x7fff0efd7d40 WRITE of size 1 at 0x7fff0efd8710 thread T0 #0 0x402075 (/sbin/openrc-init+0x402075) #1 0x3cf6e2070f in __libc_start_main (/lib64/libc.so.6+0x3cf6e2070f) #2 0x4013b8 (/sbin/openrc-init+0x4013b8) Address 0x7fff0efd8710 is located in stack of thread T0 at offset 2432 in frame #0 0x401cfb (/sbin/openrc-init+0x401cfb) This frame has 3 object(s): [32, 160) 'signals' [192, 344) 'sa' [384, 2432) 'buf' <== Memory access at offset 2432 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ?? ``` The problem here is in the code handling reads from 'init.ctl': ``` int main(int argc, char **argv) { ... char buf[2048]; for (;;) { /* This will block until a command is sent down the pipe... */ fifo = fopen(RC_INIT_FIFO, "r"); count = fread(buf, 1, 2048, fifo); buf[count] = 0; ... } ``` `buf[count] = 0;` writes outside the buffer when `fread()` returns non-truncated read. This fixes #138.
Diffstat (limited to 'init.d/dumpon.in')
0 files changed, 0 insertions, 0 deletions