On Thu, Sep 8, 2016 at 2:19 PM, Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx> wrote:
> The text-utility ul can run into a buffer overflow on very long lines.
> See this proof of concept how to reproduce the issue:
>
> $ dd if=/dev/zero bs=1M count=10 | tr '\000' '\041' > poc.txt
> $ echo -ne '\xe\x5f\x8\x5f\x61\x2\xf\x5f\x8\x5f' | dd of=poc.txt conv=notrunc
> $ ul -i poc.txt > /dev/null # output would take ages
> Segmentation fault
> $ _
>
> The problem manifests by using alloca with "maxcol", which can be as
> large as INT_MAX, based on the input line.
>
> A very long line (> 8 MB) with modes must be supplied to ul, as seen in
> my proof of concept byte sequence above.
>
> It is rather easy to fix this issue: allocate space on the heap instead.
> maxcol could overflow here, but in that case no system will have enough
> space to handle the request, properly ending ul through an err() call.
>
>
> Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
> ---
> text-utils/ul.c | 14 ++++----------
> 1 file changed, 4 insertions(+), 10 deletions(-)
Just a nit .. may as well change 'i' from an int to a long here as well.
That should cover the theoretical overflow for 64 bit machines.
> diff --git a/text-utils/ul.c b/text-utils/ul.c
> index 6721974..3fd0b6a 100644
> --- a/text-utils/ul.c
> +++ b/text-utils/ul.c
> @@ -402,11 +402,7 @@ static void flushln(void)
> static void overstrike(void)
> {
> register int i;
> -#ifdef __GNUC__
> - register wchar_t *lbuf = __builtin_alloca((maxcol + 1) * sizeof(wchar_t));
> -#else
> - wchar_t lbuf[BUFSIZ];
> -#endif
> + register wchar_t *lbuf = xmalloc((maxcol + 1) * sizeof(wchar_t));
> register wchar_t *cp = lbuf;
> int hadbold=0;
>
> @@ -439,16 +435,13 @@ static void overstrike(void)
> for (cp = lbuf; *cp; cp++)
> putwchar(*cp == '_' ? ' ' : *cp);
> }
> + free(lbuf);
> }
>
> static void iattr(void)
> {
> register int i;
> -#ifdef __GNUC__
> - register wchar_t *lbuf = __builtin_alloca((maxcol+1)*sizeof(wchar_t));
> -#else
> - wchar_t lbuf[BUFSIZ];
> -#endif
> + register wchar_t *lbuf = xmalloc((maxcol + 1) * sizeof(wchar_t));
> register wchar_t *cp = lbuf;
>
> for (i = 0; i < maxcol; i++)
> @@ -465,6 +458,7 @@ static void iattr(void)
> *cp = 0;
> fputws(lbuf, stdout);
> putwchar('\n');
> + free(lbuf);
> }
>
> static void initbuf(void)
> --
> 2.10.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe util-linux" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at https://urldefense.proofpoint.com/v2/url?u=http-3A__vger.kernel.org_majordomo-2Dinfo.html&d=DQIBAg&c=IGDlg0lD0b-nebmJJ0Kp8A&r=Wg5NqlNlVTT7Ugl8V50qIHLe856QW0qfG3WVYGOrWzA&m=bbRXLX-CYSIowTPqY28dCLlGaWC6MpdmP2mvIBLoArU&s=Tc2CgUqDnP1yFVDSU30eZqiQqUOBot-jL8ovTKiAHyk&e=
--
Shaun Tancheff
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
