Ticket #4642 (closed defect: fixed)
Buffer overflow in vfs_parse_ls_lga
| Reported by: | zaytsev | Owned by: | zaytsev |
|---|---|---|---|
| Priority: | major | Milestone: | 4.8.34 |
| Component: | mc-vfs | Version: | master |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Branch state: | merged | Votes for changeset: | committed-master |
Description (last modified by zaytsev) (diff)
Found in Alpine/musl on s390x, confirmed on aarch64 using valgrind - introduced in 65a7278d8a34abe804299d721749bc747e4a4833:
==156518== Invalid read of size 1 ==156518== at 0x413BE0: vfs_parse_ls_lga (parse_ls_vga.c:863) ==156518== by 0x4076C3: process_ls_line (mc_parse_ls_l.c:350) ==156518== by 0x4076C3: process_input (mc_parse_ls_l.c:376) ==156518== by 0x40736B: main (mc_parse_ls_l.c:404) ==156518== Address 0x536be6f is 1 bytes before a block of size 2 alloc'd ==156518== at 0x48854F0: malloc (vg_replace_malloc.c:446) ==156518== by 0x4CF4FCB: g_malloc (gmem.c:100) ==156518== by 0x4D0E99B: g_strdup (gstrfuncs.c:323) ==156518== by 0x413887: g_strdup_inline (gstrfuncs.h:321) ==156518== by 0x413887: vfs_parse_ls_lga (parse_ls_vga.c:848) ==156518== by 0x4076C3: process_ls_line (mc_parse_ls_l.c:350) ==156518== by 0x4076C3: process_input (mc_parse_ls_l.c:376) ==156518== by 0x40736B: main (mc_parse_ls_l.c:404)
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/79071
Change History
comment:3 Changed 9 months ago by zaytsev
- Branch state changed from no branch to on review
Branch: 4642_fix_overflow
Changeset: 18079626c6d49a519da51ab6eeead1f0dc44e713
Caused by int -> size_t conversion and --p2 > 0 expression. I don't remove consecutive \n\n, \r\r and \n\r, only \n, \r and \r\n. My understanding is that this is the desired behavior.
Please ignore the formatting, I will rebase after #4592.
comment:4 Changed 9 months ago by andrew_b
Some suggestions
- find a more specific name for str_chomp(), since it remove a single trailing EOL not all;
- rename tests/lib/strutil/strutil.c to tests/lib/strutil/str_chomp.c;
- fix copyright year and "Written by" in tests/lib/strutil/strutil.c.
comment:5 Changed 9 months ago by zaytsev
Rebased on current master: ac9a81d9bd369fc6f571850b90a2f534dc03cc8e
find a more specific name for str_chomp(), since it remove a single trailing EOL not all;
str_rstrip_eol like Python's rstrip ?
rename tests/lib/strutil/strutil.c to tests/lib/strutil/str_chomp.c;
done
fix copyright year and "Written by" in tests/lib/strutil/strutil.c.
done
comment:6 Changed 9 months ago by andrew_b
- Votes for changeset set to andrew_b
- Branch state changed from on review to approved
comment:7 Changed 9 months ago by zaytsev
- Status changed from accepted to testing
- Votes for changeset changed from andrew_b to committed-master
- Resolution set to fixed
- Branch state changed from approved to merged
Merged as 5cae1ddd9a4dc80ace53d02da6843401eaeb4e7c .
