Bug 206552 - [libc] Possible buffer overflow after flushing line-buffered files when only partial data was written
Summary: [libc] Possible buffer overflow after flushing line-buffered files when only ...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-24 01:20 UTC by mccoy
Modified: 2017-04-23 18:21 UTC (History)
1 user (show)

See Also:


Attachments
A test program that demonstrates the buffer overflow (4.73 KB, text/plain)
2016-01-24 01:20 UTC, mccoy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mccoy 2016-01-24 01:20:13 UTC
Created attachment 166034 [details]
A test program that demonstrates the buffer overflow

Please see attached file evil.c for a possible scenario where it's possible to trigger buffer overflow.

It uses a somewhat contrived example of non-blocking pipes as an underlying file descriptor, mainly because it's easy to trigger (partially) failed writes.

The defect can be located in the code /usr/src/lib/libc/stdio/fflush.c and function __sflush. Line-buffered files where write(s) has partially succeeded will have their internal write pointer increased, but not getting a corresponding write space decrease.

(so, the defect is: if fp is a FILE *, then fp->_p is increased but fp->_w is NOT decreased in this situation)

Sample output on my FREEBSD 10.2-RELEASE-p7 amd64 machine:

zsh 1311 % cc evil.c -o evil && ./evil
rc from fread(1): 1
rc from fwrite(1): 1
rc from fwrite(1021): 1021
rc from fflush: -1
rc from fwrite(1): 1
rc from fwrite(4): 4
Canary overwritten: 97 65 98 66