Bug 201657

Summary:

Buffer overflow in libdtrace

Product:

Base System

Reporter:

Pedro F. Giffuni <pfg>

Component:

bin

Assignee:

Mark Johnston <markj>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

delphij, emaste, op

Priority:

---

Keywords:

patch

Version:

CURRENT

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Possible fix	none

Description Pedro F. Giffuni freebsd_committer

2015-07-17 18:42:26 UTC

While testing with the experimental version of FORTIFY_SOURCE from GSoC 2015,
This issue was found on MIPS (with the native gcc 4.2.1).
...
===> cddl/lib/libdtrace (all)
cc1: warnings being treated as errors
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c: In function 'dt_printf_format':
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:1562: warning: call to __snprintf_chk will always overflow destination buffer
--- dt_printf.So ---
*** [dt_printf.So] Error code 1

make[7]: stopped in /scratch/tmp/pfg/head/cddl/lib/libdtrace
1 error
...

For comparison, coverity found this:

1561                if (width != 0)
1562                        f += snprintf(f, sizeof (format), "%d", ABS(width));
1563
    
60. Condition prec > 0, taking true branch
1564                if (prec > 0)
    
CID 1018005 (#1 of 1): Out-of-bounds access (OVERRUN)61. overrun-buffer-arg: Overrunning buffer pointed to by f of 64 bytes by passing it to a function which accesses it at byte offset 70 using argument 64U. [Note: The source code implementation of the function has been overridden by a builtin model.]
1565                        f += snprintf(f, sizeof (format), ".%d", prec);
1566
...

Comment 1 Pedro F. Giffuni freebsd_committer

2015-07-22 18:49:34 UTC

Created attachment 159080 [details]
Possible fix

Patch from Robert Mustacchi (Joyent - Illumos).

Comment 2 Pedro F. Giffuni freebsd_committer

2015-07-26 22:07:41 UTC

(In reply to Pedro F. Giffuni from comment #1)

For the record: Robert's patch appear to fix the issue in FORTIFY_SOURCE but I haven't otherwise tested it. Robert Mustacchi recommends running the DTrace tests.

Comment 3 commit-hook freebsd_committer

2015-08-02 00:19:03 UTC

A commit references this bug:

Author: markj
Date: Sun Aug  2 00:18:49 UTC 2015
New revision: 286169
URL: https://svnweb.freebsd.org/changeset/base/286169

Log:
  Perform bounds checking when constructing a format string.

  This was detected by the FORTIFY_SOURCE build.

  PR:		201657
  Reported by:	pfg
  MFC after:	2 weeks

Changes:
  head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c

Comment 4 Xin LI freebsd_committer

2015-08-25 05:41:35 UTC

(In reply to commit-hook from comment #3)
Can you merge the change?

Comment 5 commit-hook freebsd_committer

2015-08-27 23:46:50 UTC

A commit references this bug:

Author: markj
Date: Thu Aug 27 23:46:12 UTC 2015
New revision: 287226
URL: https://svnweb.freebsd.org/changeset/base/287226

Log:
  MFC r286169:
  Perform bounds checking when constructing a format string.

  PR:	201657

Changes:
_U  stable/10/
  stable/10/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c

Comment 6 commit-hook freebsd_committer

2015-08-27 23:46:52 UTC

A commit references this bug:

Author: markj
Date: Thu Aug 27 23:46:46 UTC 2015
New revision: 287228
URL: https://svnweb.freebsd.org/changeset/base/287228

Log:
  MFC r286169:
  Perform bounds checking when constructing a format string.

  PR:	201657

Changes:
_U  stable/9/cddl/contrib/opensolaris/
_U  stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/
  stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c

Comment 7 Mark Johnston freebsd_committer

2015-08-27 23:47:54 UTC

(In reply to Xin LI from comment #4)
Done, sorry for the delay. :(