| Summary: | Out-of-bounds read in wcsncat(3) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Alexander Cherepanov <cherepan> | ||||||
| Component: | bin | Assignee: | Brooks Davis <brooks> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Some People | CC: | brooks | ||||||
| Priority: | --- | Keywords: | patch | ||||||
| Version: | CURRENT | Flags: | brooks:
mfc-stable10+
brooks: mfc-stable9+ |
||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
|
Description
Alexander Cherepanov
2016-01-12 22:40:10 UTC
Created attachment 165468 [details]
Crashing testcase
The issue is similar to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206178 . Great catch! I'll get this committed. FYI, on CHERI we'll hit this for all buffers not just ones that back into an unmapped page (our pointers have hardware enforced bounds checks). Thanks! And thanks for pointing to CHERI. A commit references this bug: Author: brooks Date: Wed Jan 13 21:49:01 UTC 2016 New revision: 293855 URL: https://svnweb.freebsd.org/changeset/base/293855 Log: Avoid reading pass the end of the source buffer when it is not NUL terminated. If this buffer is adjacent to an unmapped page or a version of C with bounds checked is used this may result in a crash. PR: 206177 Submitted by: Alexander Cherepanov <cherepan@mccme.ru> MFC after: 1 week Changes: head/lib/libc/string/wcsncat.c A commit references this bug: Author: brooks Date: Wed Jan 20 19:08:50 UTC 2016 New revision: 294453 URL: https://svnweb.freebsd.org/changeset/base/294453 Log: MFC r293855: Avoid reading pass the end of the source buffer when it is not NUL terminated. If this buffer is adjacent to an unmapped page or a version of C with bounds checked is used this may result in a crash. PR: 206177 Submitted by: Alexander Cherepanov <cherepan@mccme.ru> Changes: _U stable/10/ stable/10/lib/libc/string/wcsncat.c A commit references this bug: Author: brooks Date: Wed Jan 20 19:52:01 UTC 2016 New revision: 294456 URL: https://svnweb.freebsd.org/changeset/base/294456 Log: MFC r293855: Avoid reading pass the end of the source buffer when it is not NUL terminated. If this buffer is adjacent to an unmapped page or a version of C with bounds checked is used this may result in a crash. PR: 206177 Submitted by: Alexander Cherepanov <cherepan@mccme.ru> Changes: _U stable/9/lib/libc/ stable/9/lib/libc/string/wcsncat.c A commit references this bug: Author: brooks Date: Fri Jan 22 00:08:16 UTC 2016 New revision: 294537 URL: https://svnweb.freebsd.org/changeset/base/294537 Log: MFC r293855: Avoid reading pass the end of the source buffer when it is not NUL terminated. If this buffer is adjacent to an unmapped page or a version of C with bounds checked is used this may result in a crash. PR: 206177 Submitted by: Alexander Cherepanov <cherepan@mccme.ru> Requested by: danfe Changes: _U stable/8/lib/libc/ stable/8/lib/libc/string/wcsncat.c |