[PATCH v1] unwind.c: fix a possible buffer overflow
Dmitry V. Levin
ldv at altlinux.org
Mon Mar 13 15:44:36 UTC 2017
On Sat, Mar 11, 2017 at 02:27:33PM +0300, Victor Krapivensky wrote:
> Linux does not prevent a user from creating a lot of nested directories
> with length of the absolute path of the deepest one exceeding PATH_MAX,
> then chdir'ing into it, creating a file there and mmap'ing it. Since the
> length of the prefix preceding the pathname in /proc/[pid]/maps is not
> necessary 80 (it's 73 on my machine), an overflow is possible.
>
> * unwind.c: Fix a possible buffer overflow.
> ---
> unwind.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/unwind.c b/unwind.c
> index 326d184..6a7f342 100644
> --- a/unwind.c
> +++ b/unwind.c
> @@ -159,7 +159,7 @@ build_mmap_cache(struct tcb* tcp)
> struct mmap_cache_t *entry;
> unsigned long start_addr, end_addr, mmap_offset;
> char exec_bit;
> - char binary_path[PATH_MAX];
> + char binary_path[sizeof(buffer)];
>
> if (sscanf(buffer, "%lx-%lx %*c%*c%c%*c %lx %*x:%*x %*d %[^\n]",
> &start_addr, &end_addr, &exec_bit,
Applied, thanks.
btw, does the kernel impose any limits on /proc/$pid/maps line length?
If not, we probably should support longer lines, too.
P.S. Next time please do not embed several patches into a single email,
it's too easy to miss them. Also, inline patches are easier to discuss
than attached ones, so please send them inline if possible.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20170313/851c81b6/attachment.bin>
More information about the Strace-devel
mailing list