lib/56260: [PATCH] Out-of-bounds stack read in lib/libc/gen/vis.c

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/56260: [PATCH] Out-of-bounds stack read in lib/libc/gen/vis.c
From: arichardson%FreeBSD.org@localhost
Date: Fri, 18 Jun 2021 10:05:00 +0000 (UTC)

>Number:         56260
>Category:       lib
>Synopsis:       [PATCH] Out-of-bounds stack read in lib/libc/gen/vis.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 18 10:05:00 +0000 2021
>Originator:     Alex Richardson
>Release:        N/A
>Organization:
FreeBSD
>Environment:
N/A
>Description:
I found an out-of-bounds stack read in the vis code when running FreeBSD compiled for CHERI. Since the vis code in FreeBSD is the same as NetBSD lib/libc/gen/vis.c the patch also applies here.

See https://cgit.freebsd.org/src/commit/?id=1a2f06d0f2905c9a18340b377cbbe772f2ca6844
>How-To-Repeat:
Call vis(3) without the VIS_NOLOCALE flag and two non-ASCII chars: it passes a 2 byte buffer to istrsenvisx, but the first loop iteration may attempt to decode up to MB_LEN_MAX bytes from the two char buffer.
>Fix:
Apply the patch from https://cgit.freebsd.org/src/commit/?id=1a2f06d0f2905c9a18340b377cbbe772f2ca6844 - replace MB_LEN_MAX with MIN(mbslength, MB_LEN_MAX)

Prev by Date: Re: bin/56257: tar segfaults during emacs build
Next by Date: PR/56260 CVS commit: src/lib/libc/gen
Previous by Thread: bin/56257: tar segfaults during emacs build
Next by Thread: PR/56260 CVS commit: src/lib/libc/gen
Indexes:

Home | Main Index | Thread Index | Old Index