[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-patch] integer overflow and out of bounds memory access
From: |
Tobias Stoeckmann |
Subject: |
[bug-patch] integer overflow and out of bounds memory access |
Date: |
Tue, 25 Nov 2014 17:19:54 +0100 |
Hi,
as discovered for OpenBSD's patch, GNU patch also suffers from
integer overflows, which can lead to arbitrary memory access.
This file will trigger out of boundary memory access:
$ cat a.diff
--- a Sat Nov 15 00:25:29 2014
+++ b Sat Nov 15 00:06:50 2014
@@ -1,9223372036854775807 +1,9223372036854775807 @@
-a
+b
$ touch a
$ patch a a.diff
So what's wrong?
Look at line 1666 in pch.c:
p_max = p_ptrn_lines + p_repl_lines + 1;
p_max will overflow to -1 due to our modified (and invalid) diff,
therefore no memory will be allocated. -1 is definitely smaller than
hunkmax.
Later on, line 1671:
filldst = fillsrc + p_ptrn_lines;
We assign an invalid number into filldist, which gets referenced in
line 1685:
p_len[filldst] = strlen (buf);
Therefore, we write data into a memory chunk that most likely does not
belong to us. For this example, filldst would be -9223372036854775808.
You can find my proposed diff for OpenBSD here:
http://marc.info/?l=openbsd-tech&m=141693055412785&w=2
I know about the license issues that could step in: I am definitely
fine if you take these changes and incooperate them into your GPL code.
Otherwise... Take it as input for an own solution. ;)
Tobias
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-patch] integer overflow and out of bounds memory access,
Tobias Stoeckmann <=