heap-buffer-overflow in finfo.c

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heap-buffer-overflow in finfo.c

From:	Grisha Levit
Subject:	heap-buffer-overflow in finfo.c
Date:	Thu, 24 Aug 2023 13:23:18 -0400

$ enable finfo
$ finfo -P '' .
ERROR: AddressSanitizer: heap-buffer-overflow ...
READ of size 1 at 0x003b09b8d4d1 thread T0
    #0 0x6e45535088 in octal examples/loadables/finfo.c:104:9

Could either fix up the octal function:

diff --git a/examples/loadables/finfo.c b/examples/loadables/finfo.c
index 64a9e910..98408c3a 100644
--- a/examples/loadables/finfo.c
+++ b/examples/loadables/finfo.c
@@ -100,9 +100,9 @@ octal(char *s)
 {
        int     r;

-       r = *s - '0';
-       while (*++s >= '0' && *s <= '7')
-               r = (r * 8) + (*s - '0');
+       r = 0;
+       while (*s >= '0' && *s <= '7')
+               r = (r * 8) + (*s++ - '0');
        return r;
 }

Or use the same one as the other builtins do:

diff --git a/examples/loadables/finfo.c b/examples/loadables/finfo.c
index 64a9e910..2ab5c579 100644
--- a/examples/loadables/finfo.c
+++ b/examples/loadables/finfo.c
@@ -53,7 +53,6 @@ extern int    errno;

 extern char    **make_builtin_argv (WORD_LIST *, int *);

-static int     octal(char *);
 static struct stat *getstat(char *);
 static int     printinfo(char *);
 static int     getperm(int);
@@ -95,17 +94,6 @@ static int   pmask;

 #define OPTIONS                "acdgiflmnopsuACGMP:U"

-static int
-octal(char *s)
-{
-       int     r;
-
-       r = *s - '0';
-       while (*++s >= '0' && *s <= '7')
-               r = (r * 8) + (*s - '0');
-       return r;
-}
-
 static int
 finfo_main(int argc, char **argv)
 {
@@ -136,7 +124,14 @@ finfo_main(int argc, char **argv)
                case 'n': flags |= OPT_NLINK; break;
                case 'o': flags |= OPT_OPERM; break;
                case 'p': flags |= OPT_PERM; break;
-               case 'P': flags |= OPT_PMASK; pmask = octal(sh_optarg); break;
+               case 'P':
+                       flags |= OPT_PMASK;
+                       pmask = read_octal(sh_optarg);
+                       if (pmask < 0) {
+                               builtin_error("invalid mode: %s", sh_optarg);
+                               return(1);
+                       }
+                       break;
                case 's': flags |= OPT_SIZE; break;
                case 'u': flags |= OPT_UID; break;
                case 'U': flags |= OPT_UID|OPT_ASCII; break;

[Prev in Thread]

Current Thread

[Next in Thread]

heap-buffer-overflow in finfo.c, Grisha Levit <=
- Re: heap-buffer-overflow in finfo.c, Chet Ramey, 2023/08/25

Prev by Date: Re: using exec to close a fd in a var crashes bash
Next by Date: [PATCH] leak in cut example loadable builtin
Previous by thread: Error handling with nofork command substitution
Next by thread: Re: heap-buffer-overflow in finfo.c
Index(es):
- Date
- Thread