675962 – openrc: buffer overflow in pid_is_argv()

Bug 675962 - openrc: buffer overflow in pid_is_argv()

Summary: openrc: buffer overflow in pid_is_argv()

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	OpenRC (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	OpenRC Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-01-21 08:57 UTC by Hanno Böck
Modified:	2019-02-23 01:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
fix overflow in openrc (openrc-fix-overflow.diff,332 bytes, patch) 2019-01-21 08:57 UTC, Hanno Böck	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2019-01-21 08:57:45 UTC

Created attachment 562366 [details, diff]
fix overflow in openrc

There is a possible buffer overflow in the function pid_is_argv().

The relevant pieces of the code:

	char buffer[PATH_MAX];
[...]
	bytes = read(fd, buffer, sizeof(buffer));
[...]
	buffer[bytes] = '\0';


So it's reading a maximum of sizeof(buffer), and then it will put a zero terminator at the end.

If the read reaches the maximum then the zero terminator will end up one byte after the buffer, leading to an overflow.

Can be fixed by reading only sizeof(buffer)-1.

Patch attached.

While this is a buffer overflow, I don't think it's plausible to assume this is in any way attacker controlled, so not handling this as a security bug.

Comment 1 William Hubbs gentoo-dev

2019-02-23 01:01:05 UTC

The patch does not apply to current HEAD, but this looks to now be fixed
another way.

If it isn't, feel free to reopen.

Thanks,

William