shithub: riscv

Download patch

ref: 86e63c36eded29e46a17628264b73d743df9a864
parent: ffa761beae76043ff7630bd45f68cb5ed08a93fa
author: cinap_lenrek <[email protected]>
date: Thu Dec 11 13:32:50 EST 2014

kbmap: fix sprint() buffer overflow (thanks silasm)

A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.

sample output:
% cd /sys/lib/kbmap
% touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df
offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c,
which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.
I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap
if I can figure out the nuances of doing so.

--silasm

--- a/sys/src/cmd/kbmap.c

+++ b/sys/src/cmd/kbmap.c

@@ -64,7 +64,6 @@

 {

 	int i, fd, nr;

 	Dir *pd;

-	char buf[128];

 	if((fd = open(dir, OREAD)) < 0)

 		return;

@@ -72,8 +71,8 @@

 	nmap = nr = dirreadall(fd, &pd);

 	map = emalloc(nr * sizeof(KbMap));

 	for(i=0; i<nr; i++){

-		sprint(buf, "%s/%s", dir, pd[i].name);

-		map[i].file = estrdup(buf);

+		map[i].file = emalloc(strlen(dir) + strlen(pd[i].name) + 2);

+		sprint(map[i].file, "%s/%s", dir, pd[i].name);

 		map[i].name = estrdup(pd[i].name);

 		map[i].current = 0;

 	}