Date: Sat, 3 Apr 2021 15:14:14 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: cbadf77834e1 - stable/13 - libctf: Fix an out-of-bounds read in ctf_lookup_by_name() Message-ID: <202104031514.133FEE62089300@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=cbadf77834e145d42ff9805694c4fccd44df7f8b commit cbadf77834e145d42ff9805694c4fccd44df7f8b Author: Domagoj Stolfa <domagoj.stolfa@gmail.com> AuthorDate: 2021-03-27 18:04:12 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-04-03 15:11:55 +0000 libctf: Fix an out-of-bounds read in ctf_lookup_by_name() When prefixes such as struct, union, etc. are compared with the current type (e.g. struct foo), a comparison is made with the prefix. The code currently assumes that every type is a valid C type with a prefix, however at times, garbage ends up in this function causing an unpredictable crash with DTrace due to the isspace(*p) call or subsequent calls. An example that I've seen of this is the letter 's' being passed in, comparing true with struct as the comparison size was (q - p) == 1, but then we increment p with the length of "struct", resulting in an out of bounds read. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D29435 (cherry picked from commit 410556f1f10fd35b350102725fd8504c3cb0afc8) --- cddl/contrib/opensolaris/common/ctf/ctf_lookup.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cddl/contrib/opensolaris/common/ctf/ctf_lookup.c b/cddl/contrib/opensolaris/common/ctf/ctf_lookup.c index aa58663309b6..5912cc1a36e8 100644 --- a/cddl/contrib/opensolaris/common/ctf/ctf_lookup.c +++ b/cddl/contrib/opensolaris/common/ctf/ctf_lookup.c @@ -132,8 +132,9 @@ ctf_lookup_by_name(ctf_file_t *fp, const char *name) continue; /* skip qualifier keyword */ for (lp = fp->ctf_lookups; lp->ctl_prefix != NULL; lp++) { - if (lp->ctl_prefix[0] == '\0' || - strncmp(p, lp->ctl_prefix, (size_t)(q - p)) == 0) { + if ((size_t)(q - p) >= lp->ctl_len && + (lp->ctl_prefix[0] == '\0' || + strncmp(p, lp->ctl_prefix, (size_t)(q - p)) == 0)) { for (p += lp->ctl_len; isspace(*p); p++) continue; /* skip prefix and next ws */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104031514.133FEE62089300>