[PATCH v1] Add bounds checking in sys_query_module
Mike Frysinger
vapier at gentoo.org
Wed Aug 6 13:44:56 UTC 2014
On Mon 04 Aug 2014 08:31:30 zubin.mithra at gmail.com wrote:
> --- a/bjm.c
> +++ b/bjm.c
> @@ -121,6 +121,8 @@ sys_query_module(struct tcb *tcp)
> (idx ? ", " : ""),
> mod);
> mod += strlen(mod)+1;
> + if (mod-data >= tcp->u_arg[3])
> + break;
this check is incomplete. if the buffer is not NUL terminated, then the
string reading code will read beyond the end. you can protect against that by
doing:
char *data = malloc(tcp->u_arg[3] + 1);
then before the for loop here, make sure the buffer is NUL terminated:
data[tcp->u_arg[3]] = '\0';
as for this check, i think it's weirdly written. it makes more sense to me:
if (mod >= data + tcp->u_arg[3])
also, when you do break, don't you want to print out a ... to indicate ?
> @@ -144,6 +146,8 @@ sys_query_module(struct tcb *tcp)
> tprintf(" /* %lu entries */ ", (unsigned long)ret);
> } else {
> for (idx = 0; idx < ret; idx++) {
> + if ((long)sym->name >= tcp->u_arg[3])
> + break;
> tprintf("%s{name=%s, value=%lu}",
> (idx ? " " : ""),
> data+(long)sym->name,
i think this too is incomplete. the sym++ might walk past the end of the
data, sym->name is unsigned while u_arg is signed, and the symbol name might
start near the end of the valid region but then walk beyond it (no NUL
termination). so i guess what are you trying to protect against ?
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20140806/132bebbb/attachment.bin>
More information about the Strace-devel
mailing list