Bug 201657 - Buffer overflow in libdtrace
Summary: Buffer overflow in libdtrace
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Johnston
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-07-17 18:42 UTC by Pedro F. Giffuni
Modified: 2015-08-27 23:47 UTC (History)
3 users (show)

See Also:


Attachments
Possible fix (1.19 KB, patch)
2015-07-22 18:49 UTC, Pedro F. Giffuni
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro F. Giffuni freebsd_committer 2015-07-17 18:42:26 UTC
While testing with the experimental version of FORTIFY_SOURCE from GSoC 2015,
This issue was found on MIPS (with the native gcc 4.2.1).
...
===> cddl/lib/libdtrace (all)
cc1: warnings being treated as errors
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c: In function 'dt_printf_format':
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:1562: warning: call to __snprintf_chk will always overflow destination buffer
--- dt_printf.So ---
*** [dt_printf.So] Error code 1

make[7]: stopped in /scratch/tmp/pfg/head/cddl/lib/libdtrace
1 error
...

For comparison, coverity found this:

1561                if (width != 0)
1562                        f += snprintf(f, sizeof (format), "%d", ABS(width));
1563
    
60. Condition prec > 0, taking true branch
1564                if (prec > 0)
    
CID 1018005 (#1 of 1): Out-of-bounds access (OVERRUN)61. overrun-buffer-arg: Overrunning buffer pointed to by f of 64 bytes by passing it to a function which accesses it at byte offset 70 using argument 64U. [Note: The source code implementation of the function has been overridden by a builtin model.]
1565                        f += snprintf(f, sizeof (format), ".%d", prec);
1566
...
Comment 1 Pedro F. Giffuni freebsd_committer 2015-07-22 18:49:34 UTC
Created attachment 159080 [details]
Possible fix

Patch from Robert Mustacchi (Joyent - Illumos).
Comment 2 Pedro F. Giffuni freebsd_committer 2015-07-26 22:07:41 UTC
(In reply to Pedro F. Giffuni from comment #1)

For the record: Robert's patch appear to fix the issue in FORTIFY_SOURCE but I haven't otherwise tested it. Robert Mustacchi recommends running the DTrace tests.
Comment 3 commit-hook freebsd_committer 2015-08-02 00:19:03 UTC
A commit references this bug:

Author: markj
Date: Sun Aug  2 00:18:49 UTC 2015
New revision: 286169
URL: https://svnweb.freebsd.org/changeset/base/286169

Log:
  Perform bounds checking when constructing a format string.

  This was detected by the FORTIFY_SOURCE build.

  PR:		201657
  Reported by:	pfg
  MFC after:	2 weeks

Changes:
  head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c
Comment 4 Xin LI freebsd_committer 2015-08-25 05:41:35 UTC
(In reply to commit-hook from comment #3)
Can you merge the change?
Comment 5 commit-hook freebsd_committer 2015-08-27 23:46:50 UTC
A commit references this bug:

Author: markj
Date: Thu Aug 27 23:46:12 UTC 2015
New revision: 287226
URL: https://svnweb.freebsd.org/changeset/base/287226

Log:
  MFC r286169:
  Perform bounds checking when constructing a format string.

  PR:	201657

Changes:
_U  stable/10/
  stable/10/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c
Comment 6 commit-hook freebsd_committer 2015-08-27 23:46:52 UTC
A commit references this bug:

Author: markj
Date: Thu Aug 27 23:46:46 UTC 2015
New revision: 287228
URL: https://svnweb.freebsd.org/changeset/base/287228

Log:
  MFC r286169:
  Perform bounds checking when constructing a format string.

  PR:	201657

Changes:
_U  stable/9/cddl/contrib/opensolaris/
_U  stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/
  stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c
Comment 7 Mark Johnston freebsd_committer 2015-08-27 23:47:54 UTC
(In reply to Xin LI from comment #4)
Done, sorry for the delay. :(