bug#45026: closed (Heap corruption buffer overflow in bsd

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#45026: closed (Heap corruption buffer overflow in bsd_probe)

From:	GNU bug Tracking System
Subject:	bug#45026: closed (Heap corruption buffer overflow in bsd_probe)
Date:	Sat, 05 Dec 2020 01:07:01 +0000

Your message dated Fri, 4 Dec 2020 17:05:51 -0800
with message-id <20201205010551.GK91492@ohop.brianlane.com>
and subject line Re: bug#45026: Heap corruption buffer overflow in bsd_probe
has caused the debbugs.gnu.org bug report #45026,
regarding Heap corruption buffer overflow in bsd_probe
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
45026: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45026
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: Heap corruption buffer overflow in bsd_probe Date: Thu, 3 Dec 2020 13:45:48 -0500 User-agent: Mutt/1.5.21 (2010-09-15)

Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's
bsd_probe function in a way that changed the meaning of the local
variable label, but left alone the call to alpha_bootblock_checksum,
thereby causing the checksum to take place over the wrong range of
bytes and be written 56 bytes past the end of the allocated memory.
The checksum call should probably just be removed as the results don't
seem to be used.

This was discovered via a bug report against the Apline Linux package,
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It
appears we just got really lucky catching this, as only one value well
beyond the end of the allocation is written. It turns out that 64+512
makes up exactly the size of musl/mallocng's next size class over 512,
576, and writing 8 bytes before that clobbers all the consistency
check at the end of the slot and the header of the next slot. However
valgrind also seems to catch the bug when running the test cases.

--- End Message ---

--- Begin Message --- Subject: Re: bug#45026: Heap corruption buffer overflow in bsd_probe Date: Fri, 4 Dec 2020 17:05:51 -0800
How did you get valgrind to hit that? I'm not seeing it complain about
bsd.c on Fedora.

I've pushed this fix to master.

Brian

-- 
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#45026: closed (Heap corruption buffer overflow in bsd_probe), GNU bug Tracking System <=

Prev by Date: bug#44912: closed ([PATCH] gnu: ruby-regex-parser: Update to 2.0.0.)
Next by Date: bug#45043: closed ([PATCH] gnu: git-open: Remove unnecessary propagated input.)
Previous by thread: bug#44912: closed ([PATCH] gnu: ruby-regex-parser: Update to 2.0.0.)
Next by thread: bug#45043: closed ([PATCH] gnu: git-open: Remove unnecessary propagated input.)
Index(es):
- Date
- Thread