Bug 211958 - Boot overflows when reading loader.conf
Summary: Boot overflows when reading loader.conf
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: FreeBSD bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-18 07:56 UTC by CTurt
Modified: 2016-08-24 15:20 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description CTurt 2016-08-18 07:56:55 UTC
There are some overflows when reading loader.conf, for example if you add a line like:

autoboot aaaaaaaaa...

It will overflow a 256 byte buffer here:

https://github.com/freebsd/freebsd/blob/af3e10e5a78d3af8cef6088748978c6c612757f0/sys/boot/common/boot.c#L132

https://github.com/freebsd/freebsd/blob/7fc7d2ed6e06340ab861cd094a78db87215ecff3/sys/boot/common/commands.c#L36

This sprintf pattern into command_errbuf seems to be repeated a lot, and should probably be replaced with slprintf.
Comment 1 commit-hook freebsd_committer 2016-08-20 16:23:57 UTC
A commit references this bug:

Author: tsoome
Date: Sat Aug 20 16:23:20 UTC 2016
New revision: 304532
URL: https://svnweb.freebsd.org/changeset/base/304532

Log:
  loader is filling fixed length command_errbuf with sprintf() and is trusting
  strings provided by user/config files. This update is replacing sprintf with
  snprintf for cases the command_errbuf is built from dynamic content.

  PR:		211958
  Reported by:	ecturt@gmail.com
  Reviewed by:	imp, allanjude
  Approved by:	imp (mentor), allanjude (mentor)
  Differential Revision:	https://reviews.freebsd.org/D7563

Changes:
  head/sys/boot/common/boot.c
  head/sys/boot/common/bootstrap.h
  head/sys/boot/common/commands.c
  head/sys/boot/common/interp.c
  head/sys/boot/common/ls.c
  head/sys/boot/common/module.c
  head/sys/boot/efi/loader/arch/amd64/framebuffer.c
  head/sys/boot/fdt/fdt_loader_cmd.c