From owner-svn-src-all@freebsd.org  Tue Apr  7 14:14:59 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E37732B7C26;
 Tue,  7 Apr 2020 14:14:59 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48xTv75pnZz4gDW;
 Tue,  7 Apr 2020 14:14:59 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C27E8AF1E;
 Tue,  7 Apr 2020 14:14:59 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 037EExoR057794;
 Tue, 7 Apr 2020 14:14:59 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 037EEx5Q057793;
 Tue, 7 Apr 2020 14:14:59 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202004071414.037EEx5Q057793@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Tue, 7 Apr 2020 14:14:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r359689 - head/usr.sbin/config
X-SVN-Group: head
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: head/usr.sbin/config
X-SVN-Commit-Revision: 359689
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 14:15:00 -0000

Author: kevans
Date: Tue Apr  7 14:14:59 2020
New Revision: 359689
URL: https://svnweb.freebsd.org/changeset/base/359689

Log:
  config(8): "fix" a couple of buffer overflows
  
  Recently added/changed lines in various kernel configs have caused some
  buffer overflows that went undetected. These were detected with a config
  built using -fno-common as these line buffers smashed one of our arrays,
  then further triaged with ASAN.
  
  Double the sizes; this is really not a great fix, but addresses the
  immediate need until someone rewrites config. While here, add some bounds
  checking so that we don't need to detect this by random bus errors or other
  weird failures.
  
  MFC after:	3 days

Modified:
  head/usr.sbin/config/main.c

Modified: head/usr.sbin/config/main.c
==============================================================================
--- head/usr.sbin/config/main.c	Tue Apr  7 12:57:50 2020	(r359688)
+++ head/usr.sbin/config/main.c	Tue Apr  7 14:14:59 2020	(r359689)
@@ -322,7 +322,7 @@ usage(void)
 char *
 get_word(FILE *fp)
 {
-	static char line[80];
+	static char line[160];
 	int ch;
 	char *cp;
 	int escaped_nl = 0;
@@ -352,11 +352,17 @@ begin:
 		*cp = 0;
 		return (line);
 	}
-	while ((ch = getc(fp)) != EOF) {
+	while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
 		if (isspace(ch))
 			break;
 		*cp++ = ch;
 	}
+	if (cp >= line + sizeof(line)) {
+		line[sizeof(line) - 1] = '\0';
+		fprintf(stderr, "config: attempted overflow, partial line: `%s'",
+		    line);
+		exit(2);
+	}
 	*cp = 0;
 	if (ch == EOF)
 		return ((char *)EOF);
@@ -372,7 +378,7 @@ begin:
 char *
 get_quoted_word(FILE *fp)
 {
-	static char line[256];
+	static char line[512];
 	int ch;
 	char *cp;
 	int escaped_nl = 0;
@@ -415,15 +421,29 @@ begin:
 			}
 			if (ch != quote && escaped_nl)
 				*cp++ = '\\';
+			if (cp >= line + sizeof(line)) {
+				line[sizeof(line) - 1] = '\0';
+				printf(
+				    "config: line buffer overflow reading partial line `%s'\n",
+				    line);
+				exit(2);
+			}
 			*cp++ = ch;
 			escaped_nl = 0;
 		}
 	} else {
 		*cp++ = ch;
-		while ((ch = getc(fp)) != EOF) {
+		while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
 			if (isspace(ch))
 				break;
 			*cp++ = ch;
+		}
+		if (cp >= line + sizeof(line)) {
+			line[sizeof(line) - 1] = '\0';
+			printf(
+			    "config: line buffer overflow reading partial line `%s'\n",
+			    line);
+			exit(2);
 		}
 		if (ch != EOF)
 			(void) ungetc(ch, fp);