This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v3] [BZ #17273] fix incorrect mount table entry parsing in __getmntent_r()

From: Mike Frysinger <vapier at gentoo dot org>
To: "Vladimir A. Nazarenko" <naszar at ya dot ru>
Cc: "GNU C . Library" <libc-alpha at sourceware dot org>, Roland McGrath <roland at hack dot frob dot com>
Date: Fri, 28 Aug 2015 17:04:36 -0400
Subject: Re: [PATCH v3] [BZ #17273] fix incorrect mount table entry parsing in __getmntent_r()
Authentication-results: sourceware.org; auth=none
References: <1409319124-31716-1-git-send-email-naszar at ya dot ru> <1412389907-24058-1-git-send-email-naszar at ya dot ru>

On 04 Oct 2014 13:31, Vladimir A. Nazarenko wrote:
> --- a/misc/mntent_r.c
> +++ b/misc/mntent_r.c
> @@ -135,7 +135,11 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz)
>  
>        end_ptr = strchr (buffer, '\n');
>        if (end_ptr != NULL)	/* chop newline */
> -	*end_ptr = '\0';
> +	{
> +	  while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
> +            end_ptr--;
> +	  *end_ptr = '\0';
> +	}

this randomly corrupts memory when you get a blank line which is pretty
common i think in /etc/fstab.  buffer = "\n" which means end_ptr will be
buffer which means end_ptr[-1] is random stack memory.  if it happens to
be 0x20 or 0x09, you corrupt a single byte.  happens whenever the line is
just whitespace as you walk back to the start of the buffer allocation.

the way the malloc heaps are laid out, it doesn't seem to be noticed for
most arches, but it's easily reproducible on ppc32.

https://sourceware.org/bugzilla/show_bug.cgi?id=18887
-mike

Attachment: signature.asc
Description: Digital signature

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]