Date: Mon, 5 Jul 2021 09:47:06 GMT From: Alex Richardson <arichardson@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: c89f104c12e1 - stable/13 - vis(3): avoid out-of-bounds stack buffer reads Message-ID: <202107050947.1659l6Zl071532@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by arichardson: URL: https://cgit.FreeBSD.org/src/commit/?id=c89f104c12e196a86dac2aa6d9119ebb8e4aabe4 commit c89f104c12e196a86dac2aa6d9119ebb8e4aabe4 Author: Alex Richardson <arichardson@FreeBSD.org> AuthorDate: 2021-06-16 15:27:13 +0000 Commit: Alex Richardson <arichardson@FreeBSD.org> CommitDate: 2021-07-05 09:46:11 +0000 vis(3): avoid out-of-bounds stack buffer reads I found this while running kdump(1) on a CheriBSD system due to a capability length violation when printing the /etc/libmap.conf read() system call: it crashed immediately after printing the first line. Found by: CHERI Reviewed By: jhb MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D30771 (cherry picked from commit 1a2f06d0f2905c9a18340b377cbbe772f2ca6844) --- contrib/libc-vis/vis.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/libc-vis/vis.c b/contrib/libc-vis/vis.c index 21c07b70619d..c43186a44b51 100644 --- a/contrib/libc-vis/vis.c +++ b/contrib/libc-vis/vis.c @@ -465,7 +465,8 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength, while (mbslength > 0) { /* Convert one multibyte character to wchar_t. */ if (!cerr) - clen = mbrtowc(src, mbsrc, MB_LEN_MAX, &mbstate); + clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX), + &mbstate); if (cerr || clen < 0) { /* Conversion error, process as a byte instead. */ *src = (wint_t)(u_char)*mbsrc;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107050947.1659l6Zl071532>