[PATCH v1] unwind.c: fix a possible buffer overflow

Dmitry V. Levin ldv at altlinux.org
Mon Mar 13 15:44:36 UTC 2017


On Sat, Mar 11, 2017 at 02:27:33PM +0300, Victor Krapivensky wrote:
> Linux does not prevent a user from creating a lot of nested directories
> with length of the absolute path of the deepest one exceeding PATH_MAX,
> then chdir'ing into it, creating a file there and mmap'ing it. Since the
> length of the prefix preceding the pathname in /proc/[pid]/maps is not
> necessary 80 (it's 73 on my machine), an overflow is possible.
> 
> * unwind.c: Fix a possible buffer overflow.
> ---
>  unwind.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/unwind.c b/unwind.c
> index 326d184..6a7f342 100644
> --- a/unwind.c
> +++ b/unwind.c
> @@ -159,7 +159,7 @@ build_mmap_cache(struct tcb* tcp)
>  		struct mmap_cache_t *entry;
>  		unsigned long start_addr, end_addr, mmap_offset;
>  		char exec_bit;
> -		char binary_path[PATH_MAX];
> +		char binary_path[sizeof(buffer)];
>  
>  		if (sscanf(buffer, "%lx-%lx %*c%*c%c%*c %lx %*x:%*x %*d %[^\n]",
>  			   &start_addr, &end_addr, &exec_bit,

Applied, thanks.

btw, does the kernel impose any limits on /proc/$pid/maps line length?
If not, we probably should support longer lines, too.
 
P.S.  Next time please do not embed several patches into a single email,
it's too easy to miss them.  Also, inline patches are easier to discuss
than attached ones, so please send them inline if possible.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20170313/851c81b6/attachment.bin>


More information about the Strace-devel mailing list