These two patches fix minor memory bugs, and are attached to avoid mangling by
the university email system.
Both bugs can be observed with Valgrind as follows:
$ echo busybox | ./busybox cpio -F test.cpio -H newc -o
$ valgrind ./busybox cpio -F test.cpio -t
Causes strlen to read beyond the 110 byte header buffer
(archival/libarchive/get_header_cpio.c:46)
This depends on the implementation of sscanf, Linux glibc 2.32 on x86-64 and
FreeBSD 13 libc on aarch64 both exhibited this behaviour in my testing.
$ valgrind ./busybox vi
Type 'i' and then esc, causes a read just before the text buffer
(editors/vi.c:2147)
Additionally, there appears to be a similar issue in awk which is *not*
reported by Valgrind:
$ ./busybox awk -e foo
Appears to write before program buffer (editors/awk.c:1222)
Fixing it looks like it would need large changes to awk's parser, and possibly
allocating some memory instead of reusing bits of the program buffer.
I don't know awk well enough to make changes this involved, so I don't have a
fix for it.
By the look of things, the program buffer is a pointer into argv, so this write
probably corrupts earlier arguments.
If the arguments are always consumed left-to-right this might not ever become
an actual problem.
Kind regards,
Sarah Harris
From: S Harris <[email protected]>
Date: Mon, 21 Jun 2021 10:00:17 +0100
Subject: [PATCH 1/2] cpio: fix sscanf on unterminated buffer
Signed-off-by: S Harris <[email protected]>
---
archival/libarchive/get_header_cpio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/archival/libarchive/get_header_cpio.c b/archival/libarchive/get_header_cpio.c
index 4ad174732..4e4a21ea2 100644
--- a/archival/libarchive/get_header_cpio.c
+++ b/archival/libarchive/get_header_cpio.c
@@ -20,7 +20,7 @@ typedef struct hardlinks_t {
char FAST_FUNC get_header_cpio(archive_handle_t *archive_handle)
{
file_header_t *file_header = archive_handle->file_header;
- char cpio_header[110];
+ char cpio_header[111];
int namesize;
int major, minor, nlink, mode, inode;
unsigned size, uid, gid, mtime;
@@ -29,6 +29,7 @@ char FAST_FUNC get_header_cpio(archive_handle_t *archive_handle)
data_align(archive_handle, 4);
size = full_read(archive_handle->src_fd, cpio_header, 110);
+ cpio_header[110] = 0; // sscanf calls strlen which may break without this
if (size == 0) {
goto create_hardlinks;
}
--
2.31.1
From: S Harris <[email protected]>
Date: Mon, 21 Jun 2021 11:04:49 +0100
Subject: [PATCH 2/2] vi: fix read outside of text buffer during insert
Signed-off-by: S Harris <[email protected]>
---
editors/vi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/editors/vi.c b/editors/vi.c
index 0baea615b..7e0d27de3 100644
--- a/editors/vi.c
+++ b/editors/vi.c
@@ -2144,7 +2144,7 @@ static char *char_insert(char *p, char c, int undo) // insert the char c at 'p'
cmdcnt = 0;
end_cmd_q(); // stop adding to q
last_status_cksum = 0; // force status update
- if ((p[-1] != '\n') && (dot > text)) {
+ if (p > text && (p[-1] != '\n') && (dot > text)) {
p--;
}
#if ENABLE_FEATURE_VI_SETOPTS
--
2.31.1
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
