CVS commit: src/sys/kern

["Maxime Villard" <maxv%netbsd.org@localhost>]

Module Name:    src
Committed By:   maxv
Date:           Tue Apr 22 19:01:47 UTC 2014

Modified Files:
        src/sys/kern: kern_core.c

Log Message:
Fix a read-beyond-end string read.

coredump_buildname() copies 'pattern' into 'name', and handles special
characters such as "%n". "%n", if present, will be replaced by p->p_comm.

        error = coredump_buildname(p, name, pattern, MAXPATHLEN);

This function handles overflows, and returns an error when 'name' becomes
larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used
before the error check, with:

        lastslash = strrchr(name, '/');

'name' is not guaranteed to be NUL-terminated, because of the *d = *s in
coredump_buildname(). This strrchr will read a string which is not NUL-
terminated (ie. until finding a '\0' in memory).

'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a
PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN.
Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is
user-settable, like a 10-bytes-sized "0123456789"), 'name' can become
longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the
end of the buffer will make sure 'name' is not NUL-terminated.

    pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0"
              | | | |||||||||||||||||||||||||||||
  ->   name: "012345678901234567890123456789aaaaa" [no \0]
              |         |         |         |||||MAXPATHLEN

Fix it by checking 'error' before calling strrchr.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/kern/kern_core.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.