From owner-freebsd-bugs@freebsd.org  Fri Jul 17 18:42:26 2015
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42C629A499B
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Fri, 17 Jul 2015 18:42:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 15EE316A5
 for <freebsd-bugs@FreeBSD.org>; Fri, 17 Jul 2015 18:42:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6HIgPFe067923
 for <freebsd-bugs@FreeBSD.org>; Fri, 17 Jul 2015 18:42:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 201657] Buffer overflow in libdtrace
Date: Fri, 17 Jul 2015 18:42:26 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: pfg@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-201657-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 18:42:26 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201657

            Bug ID: 201657
           Summary: Buffer overflow in libdtrace
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: pfg@FreeBSD.org

While testing with the experimental version of FORTIFY_SOURCE from GSoC 2015,
This issue was found on MIPS (with the native gcc 4.2.1).
...
===> cddl/lib/libdtrace (all)
cc1: warnings being treated as errors
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:
In function 'dt_printf_format':
/scratch/tmp/pfg/head/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c:1562:
warning: call to __snprintf_chk will always overflow destination buffer
--- dt_printf.So ---
*** [dt_printf.So] Error code 1

make[7]: stopped in /scratch/tmp/pfg/head/cddl/lib/libdtrace
1 error
...

For comparison, coverity found this:

1561                if (width != 0)
1562                        f += snprintf(f, sizeof (format), "%d",
ABS(width));
1563

60. Condition prec > 0, taking true branch
1564                if (prec > 0)

CID 1018005 (#1 of 1): Out-of-bounds access (OVERRUN)61. overrun-buffer-arg:
Overrunning buffer pointed to by f of 64 bytes by passing it to a function
which accesses it at byte offset 70 using argument 64U. [Note: The source code
implementation of the function has been overridden by a builtin model.]
1565                        f += snprintf(f, sizeof (format), ".%d", prec);
1566
...

-- 
You are receiving this mail because:
You are the assignee for the bug.